The Advanced Persistent Threat (APT) group APT32 – aka OceanLotus – is conducting a malware campaign targeting Apple MacOS users. APT32 is a nation-state hacking group that primarily targets foreign companies operating in Vietnam. The data exfiltrated by the hackers is believed to be used to give Vietnamese companies a competitive advantage, although the exact motives behind the attacks are opaque.
The group is known for using fully featured malware which is often delivered via phishing emails and commercially available tools. The latest malware variant was identified by security researchers at Trend Micro, who tied the malware to APT32 due to code similarities with other malware variants known to have been used by the group. The malware is a MacOS backdoor that allows the group to steal sensitive information such as business documents. The malware also gives the attackers the ability to download and install additional malicious programs on victim computers.
The malware is being delivered via phishing emails that have a zip file attachment which is disguised as a Microsoft Word document. If the recipient is convinced to open the attached file, no Word document will be opened, but the first stage of the payload will execute in the background. The first stage changes access permissions which allows the second stage payload to be executed, which prompts the third stage of the payload that downloads and installs the backdoor on the system. This multi-stage delivery of the backdoor helps the malware to evade security solutions.
Protecting against attacks involves blocking the initial attack vector to prevent the phishing emails from being delivered to end users. End user security awareness training should be provided, and employees conditioned not to open email attachments from unknown senders. It is also recommended to ensure computers are kept fully patched, as this will limit the ability of the group to use its malware to perform malicious actions.
Chinese TA416 APT Group Delivering New Variant of PlugX RAT
The APT group TA416 – aka Mustang Panda/Red Delta – is conducting a campaign to distribute a new variant of its PlugX Remote Access Trojan (RAT). TA416 is a nation state sponsored group with strong links to the Chinese government and has previously conducted attacks on a wide range of targets around the world.
The group is known for using spear phishing emails and social engineering techniques to deliver malware that allows the hackers to gain full control of an infected computer. The attacks are conducted for espionage purposes; however, the malware has an extensive range of capabilities. In addition to stealing data, the malware can copy, move, rename, execute, and delete files, log keystrokes, and perform many other actions.
The new campaign delivers two RAR archives, which act as droppers for its PlugX malware. The theme of the emails in the latest campaign are a supposed new agreement between the Vatican and the Chinese Communist Party.
The campaign was identified by researchers at Proofpoint, who could not pinpoint the exact delivery method; however, TA416 is known to use Google Drive and Dropbox URLs in its phishing emails to deliver malicious payloads. One of the RAR files is a self-extracting archive that extracts four files and executes an Adobelm.exe file, which delivers a Golang version of the PlugX malware. The recent update to the PlugX RAT helps it evade security solutions.
Combating the APT Threat
The tactics used by these and other APT groups to deliver malware are constantly changing, with phishing campaigns regularly tweaked to increase the likelihood of end users performing the desired action and to prevent the campaigns being detected by anti-virus and anti-phishing solutions. The changes to the malware and campaigns are effective and can easily fool end users and bypass technical controls, especially signature-based antivirus solutions.
Advanced AI-based cybersecurity solutions are required to detect and block these threats. These solutions detect known malware variants and can also identify zero-day malware threats and never-before seen phishing campaigns. The solutions work by protecting against the two most common attack vectors – email and the web – and prevent malicious messages from reaching inboxes and block downloads of malicious files from attacker-controlled websites.