As Russia's war on Ukraine intensifies, China-aligned threat actor TA416 has been detected ramping up its cyberattack campaign against European diplomats. Credit: Marcin Jastrzebski / Your_Photo / Getty Images Proofpoint cybersecurity researchers have identified ramped-up activities by China-aligned APT (advanced persistent threat) actor TA416, targeting European diplomatic entities as the war between Russia and Ukraine intensifies. TA416 (aka RedDelta ) is known to have been targeting Europe for several years using web bugs to profile target accounts, according to a research report by Proofpoint.Also known as tracking pixels, web bugs hyperlink a malicious object within the body of an email which, when activated, attempts to retrieve a benign image file from the hacker server. This provides a “sign of life” confirmation to the bad actor establishing that the target account is valid and inclined to open malicious emails with social engineering content. Most recently, TA416 has begun using the compromised email address of a European NATO country to target a different country’s diplomatic offices. Proofpoint did not name the countries. The attack emails in the current campaign first originated in early November 2021, from an account impersonating a meetings services assistant at the UN General Assembly Secretariat. The malware campaign was observed targeting European diplomats under the pretense of communications from the UN. The threat actor was found to have impersonated the same account back in August 2020 to carry out an attack against government officials in Europe.Web bug reconnaissance to avoid detectionTA416 uses web bugs to screen targets and then send them malicious URLs with different variants of PlugX malware (a remote access trojan) payloads designed to initiate remote access on the victim’s computer leading to full control takeover. “The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs,” a researcher at Proofpoint said in a press statement. This is done essentially to avoid having their malicious tools discovered and publicly disclosed, according to the report. TA416 has used SMTP2Go (an email marketing service) to impersonate various European diplomats since 2020. The standard method of attack includes using these impersonated accounts to send out a cloud hosting service (eg. Dropbox) URL to deliver a PlugX variant (for example, Trident Loader) to install the remote access malware. Evolving tactics use phishing techniques Over time, the technique has evolved to first sending out emails containing web bug resources through an actor-controlled IP address, 45.154.14[.]235. This IP address successively sends out phishing emails attempting to deliver a malicious zip file to targeted entities that have already been scanned through web-bug campaigns. The zip file contains the same payload as that from a Dropbox URL, and at times is sent out in conjunction with a Dropbox URL having the same malicious archive file. The file usually has a geopolitically themed title, which is shared with a PDF decoy that would be later downloaded as part of the infection chain.More recently, the zip files containing a decoy file, legitimate PE (portable execution) file, a DLL (dynamic Library loader) and a PlugX malware variant have changed tactics to now just contain a rudimentary executable which is a dropper malware (PE dropper). This malware then initiates proper executable configurations and downloads all four components. Additionally, the TA416 malware has adopted a faster development methodology for their payloads by regularly changing the principal components of the infection delivery method. Decryption and communication routines within the final payload have also evolved since the beginning of 2022. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe