As Russia's war on Ukraine intensifies, China-aligned threat actor TA416 has been detected ramping up its cyberattack campaign against European diplomats. Credit: Marcin Jastrzebski / Your_Photo / Getty Images Proofpoint cybersecurity researchers have identified ramped-up activities by China-aligned APT (advanced persistent threat) actor TA416, targeting European diplomatic entities as the war between Russia and Ukraine intensifies. TA416 (aka RedDelta ) is known to have been targeting Europe for several years using web bugs to profile target accounts, according to a research report by Proofpoint.Also known as tracking pixels, web bugs hyperlink a malicious object within the body of an email which, when activated, attempts to retrieve a benign image file from the hacker server. This provides a “sign of life” confirmation to the bad actor establishing that the target account is valid and inclined to open malicious emails with social engineering content. Most recently, TA416 has begun using the compromised email address of a European NATO country to target a different country’s diplomatic offices. Proofpoint did not name the countries. The attack emails in the current campaign first originated in early November 2021, from an account impersonating a meetings services assistant at the UN General Assembly Secretariat. The malware campaign was observed targeting European diplomats under the pretense of communications from the UN. The threat actor was found to have impersonated the same account back in August 2020 to carry out an attack against government officials in Europe.Web bug reconnaissance to avoid detectionTA416 uses web bugs to screen targets and then send them malicious URLs with different variants of PlugX malware (a remote access trojan) payloads designed to initiate remote access on the victim’s computer leading to full control takeover. “The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs,” a researcher at Proofpoint said in a press statement. This is done essentially to avoid having their malicious tools discovered and publicly disclosed, according to the report. TA416 has used SMTP2Go (an email marketing service) to impersonate various European diplomats since 2020. The standard method of attack includes using these impersonated accounts to send out a cloud hosting service (eg. Dropbox) URL to deliver a PlugX variant (for example, Trident Loader) to install the remote access malware. Evolving tactics use phishing techniques Over time, the technique has evolved to first sending out emails containing web bug resources through an actor-controlled IP address, 45.154.14[.]235. This IP address successively sends out phishing emails attempting to deliver a malicious zip file to targeted entities that have already been scanned through web-bug campaigns. The zip file contains the same payload as that from a Dropbox URL, and at times is sent out in conjunction with a Dropbox URL having the same malicious archive file. The file usually has a geopolitically themed title, which is shared with a PDF decoy that would be later downloaded as part of the infection chain.More recently, the zip files containing a decoy file, legitimate PE (portable execution) file, a DLL (dynamic Library loader) and a PlugX malware variant have changed tactics to now just contain a rudimentary executable which is a dropper malware (PE dropper). This malware then initiates proper executable configurations and downloads all four components. Additionally, the TA416 malware has adopted a faster development methodology for their payloads by regularly changing the principal components of the infection delivery method. Decryption and communication routines within the final payload have also evolved since the beginning of 2022. Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 06, 2024 9 mins RSA Conference Security feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe