As Russia's war on Ukraine intensifies, China-aligned threat actor TA416 has been detected ramping up its cyberattack campaign against European diplomats. Credit: Marcin Jastrzebski / Your_Photo / Getty Images Proofpoint cybersecurity researchers have identified ramped-up activities by China-aligned APT (advanced persistent threat) actor TA416, targeting European diplomatic entities as the war between Russia and Ukraine intensifies. TA416 (aka RedDelta ) is known to have been targeting Europe for several years using web bugs to profile target accounts, according to a research report by Proofpoint.Also known as tracking pixels, web bugs hyperlink a malicious object within the body of an email which, when activated, attempts to retrieve a benign image file from the hacker server. This provides a “sign of life” confirmation to the bad actor establishing that the target account is valid and inclined to open malicious emails with social engineering content. Most recently, TA416 has begun using the compromised email address of a European NATO country to target a different country’s diplomatic offices. Proofpoint did not name the countries. The attack emails in the current campaign first originated in early November 2021, from an account impersonating a meetings services assistant at the UN General Assembly Secretariat. The malware campaign was observed targeting European diplomats under the pretense of communications from the UN. The threat actor was found to have impersonated the same account back in August 2020 to carry out an attack against government officials in Europe.Web bug reconnaissance to avoid detectionTA416 uses web bugs to screen targets and then send them malicious URLs with different variants of PlugX malware (a remote access trojan) payloads designed to initiate remote access on the victim’s computer leading to full control takeover. “The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs,” a researcher at Proofpoint said in a press statement. This is done essentially to avoid having their malicious tools discovered and publicly disclosed, according to the report. TA416 has used SMTP2Go (an email marketing service) to impersonate various European diplomats since 2020. The standard method of attack includes using these impersonated accounts to send out a cloud hosting service (eg. Dropbox) URL to deliver a PlugX variant (for example, Trident Loader) to install the remote access malware.Evolving tactics use phishing techniques Over time, the technique has evolved to first sending out emails containing web bug resources through an actor-controlled IP address, 45.154.14[.]235. This IP address successively sends out phishing emails attempting to deliver a malicious zip file to targeted entities that have already been scanned through web-bug campaigns. The zip file contains the same payload as that from a Dropbox URL, and at times is sent out in conjunction with a Dropbox URL having the same malicious archive file. The file usually has a geopolitically themed title, which is shared with a PDF decoy that would be later downloaded as part of the infection chain.More recently, the zip files containing a decoy file, legitimate PE (portable execution) file, a DLL (dynamic Library loader) and a PlugX malware variant have changed tactics to now just contain a rudimentary executable which is a dropper malware (PE dropper). This malware then initiates proper executable configurations and downloads all four components. Additionally, the TA416 malware has adopted a faster development methodology for their payloads by regularly changing the principal components of the infection delivery method. Decryption and communication routines within the final payload have also evolved since the beginning of 2022. Related content news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices news analysis Chinese threat actor engaged in multi-year DNS resolver probing effort The unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks. By Lucian Constantin Apr 30, 2024 7 mins Cyberattacks Network Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe