Also known as aka OceanLotus, the Advanced Persistent Threat (APT) group APT32 is, at present, running a malware campaign yting to take advantage of Apple MacOS users. APT32 is a nation-state-funded collective that mainly attacks foreign companies with a base in Vietnam. The data stolen by the cybercriminals is thought to have been used to provide Vietnamese firms with a competitive advantage, although the precise motives behind the attacks are not known.
The group is renowned for using fully featured malware which is often sent using phishing emails and commercially available tools. The most recent malware strain was discovered by security experts at Trend Micro, who linked the malware to APT32 due to code similarities with other malware variants known to have been utilized by the group. The malware is a MacOS backdoor that pemits the group to steal protected information such as business documents. The malware also gives the hackers the ability to download and install additional malicious programs on victim devices.
The malware is being using phishing emails that have a zip file attachment which is hidden as a Microsoft Word document. If the recipient is convinced to open the attached file, no Word document will be downloaded, but the first stage of the payload will execute in the background. The first stage changes access permissions which permits the second stage payload to be executed, which leads to the third stage of the payload that downloads and the backdoor on the database. This multi-stage delivery of the backdoor helps the malware to get around security solutions.
Safeguarding against attacks involves blocking the initial attack vector to prevent the phishing emails from being sent to end users. End user security awareness training should be supplied, and employees conditioned not to click on email attachments from unknown senders. It is also advised to ensure computers are kept fully patched, as this will limit the ability of the group to use its malware to carry out malicious actions.
Chinese TA416 APT Group Delivering New Variant of PlugX RAT
The APT collective TA416 – aka Mustang Panda/Red Delta – is running a campaign to distribute a new strain of its PlugX Remote Access Trojan (RAT). TA416 is a nation state sponsored group with strong connections to the Chinese government and has previously conducted attacks on a wide range of targets around the globe.
The group is famous for using spear phishing emails and social engineering tactics to deliver malware that allows the hackers to gain full control of an infiltrated computer. The attacks are conducted for espionage purposes; however, the malware has a wide range of capabilities. Along with stealing data, the malware can copy, move, rename, execute, and delete files, log keystrokes, and carry out other actions.
The new campaign transmits two RAR archives, which behave as droppers for its PlugX malware. The theme of the emails in the most recent campaign are a supposed new agreement between the Vatican and the Chinese Communist Party.
The campaign was discovered by researchers at Proofpoint, who could not pinpoint the exact delivery method; however, TA416 is known to use Google Drive and Dropbox URLs in its phishing emails to sendmalicious payloads. One of the RAR files is a self-extracting archive that extracts four files and runs an Adobelm.exe file, which delivers a Golang version of the PlugX malware. The latest update to the PlugX RAT helps it evade security solutions.
Tackling the APT Threat
The tactics used by these and other APT groups to send malware are constantly changing, with phishing campaigns regularly amended to increase the likelihood of end users performing the desired action and to stop the campaigns being detected by anti-virus and anti-phishing solutions. The changes to the malware and campaigns are effective and can simply trick end users and bypass technical controls, especially signature-based antivirus solutions.
Advanced AI-based cybersecurity solutions are necessary to detect and block these threats. These solutions spot known malware variants and can also identify zero-day malware threats and never-before seen phishing campaigns. The solutions are operated by protecting against the two most witnessed attack vectors – email and the web – and stop malicious messages from reaching inboxes and block downloads of malicious files from attacker-controlled web portals.