A Chinese threat actor was observed targeting both European diplomatic entities and the Tibetan community with the same strain of malware.
Tracked as APT TA413 and previously associated with LuckyCat and ExileRAT malware, the threat actor has been active for nearly a decade, and is believed to be responsible for a multitude of attacks targeting the Tibetan community.
In a report published Wednesday, Proofpoint’s security researchers revealed a link between COVID-19-themed attacks impersonating the World Health Organization (WHO) to deliver the “Sepulcher” malware to economic, diplomatic, and legislative entities within Europe and attacks on the Tibetan community that delivered LuckyCat-linked malware and ExileRAT.
Furthermore, a July campaign targeting Tibetan dissidents was attempting to deliver the same Sepulcher malware from the same infrastructure, with some of the employed email addresses previously used in attacks delivering ExileRAT, suggesting that both campaigns are the work of TA413.
“While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year,” Proofpoint notes.
Targeting European diplomatic and legislative entities and economic affairs and non-profit organizations, the March campaign attempted to exploit a Microsoft Equation Editor flaw to deliver the previously unidentified Sepulcher malware.
The July campaign was employing a malicious PowerPoint (PPSX) attachment designed to drop the same malware, and Proofpoint connected it to a January 2019 campaign that used the same type of attachments to infect victims with the ExileRAT malware.
What linked these attacks, Proofpoint reveals, was the reuse of the same email addresses, clearly suggesting that ..
Support the originator by clicking the read the rest link below.
