China-aligned APT renews cyberattack on European diplomats, as war rages

Proofpoint cybersecurity researchers have identified ramped-up activities by China-aligned APT (advanced persistent threat) actor TA416, targeting European diplomatic entities as the war between Russia and Ukraine intensifies. 

TA416 (aka RedDelta ) is known to have been targeting Europe for several years using web bugs to profile target accounts, according to a research report by Proofpoint.

Also known as tracking pixels, web bugs hyperlink a malicious object within the body of an email which, when activated, attempts to retrieve a benign image file from the hacker server. This provides a “sign of life” confirmation to the bad actor establishing that the target account is valid and inclined to open malicious emails with social engineering content. 

Most recently, TA416 has begun using the compromised email address of a European NATO country to target a different country’s diplomatic offices. Proofpoint did not name the countries.

The attack emails in the current campaign first originated in early November 2021, from an account impersonating a meetings services assistant at the UN General Assembly Secretariat. The malware campaign was observed targeting European diplomats under the pretense of communications from the UN.  The threat actor was found to have impersonated the same account back in August 2020 to carry out an attack against government officials in Europe.

Web bug reconnaissance to avoid detection

TA416 uses web bugs to screen targets and then send them malicious URLs with different variants of PlugX malware (a remote access trojan) payloads designed to initiate remote access on the victim’s computer leading to full control takeover. 

“The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs,” a researcher at Proofpoint said in a press statement. 

This is done essentially to avoid having their malicious tools discovered and publicly disclosed, according to the report. 

TA416 has used SMTP2Go (an email marketing service) to impersonate various European diplomats since 2020. The standard method of attack includes using these impersonated accounts to send out a cloud hosting service (eg. Dropbox) URL to deliver a PlugX variant (for example, Trident Loader) to install the remote access malware.

Evolving tactics use phishing techniques

Over time, the technique has evolved to first sending out emails containing web bug resources through an actor-controlled IP address, 45.154.14[.]235. This IP address successively sends out phishing emails attempting to deliver a malicious zip file to targeted entities that have already been scanned through web-bug campaigns. 

The zip file contains the same payload as that from a Dropbox URL, and at times is sent out in conjunction with a Dropbox URL having the same malicious archive file. The file usually has a geopolitically themed title, which is shared with a PDF decoy that would be later downloaded as part of the infection chain.

More recently, the zip files containing a decoy file, legitimate PE (portable execution) file, a DLL (dynamic Library loader) and a PlugX malware variant have changed tactics to now just contain a rudimentary executable which is a dropper malware (PE dropper). This malware then initiates proper executable configurations and downloads all four components. 

Additionally, the TA416 malware has adopted a faster development methodology for their payloads by regularly changing the principal components of the infection delivery method. Decryption and communication routines within the final payload have also evolved since the beginning of 2022.