China-backed APT group used COVID to target west

A Chinese state sponsored threat actor capitalised on the COVID-19 pandemic to broaden its reach to Western economic and political organisations, according to Proofpoint researchers.

The security company said it has traced a phishing campaign impersonating the World Health Organisation’s (WHO) guidance on COVID-19 to the hacking group known as APT TA413, which has traditionally been known for campaigns against the Tibetan diaspora.

But in March, the allegedly Chinese state sponsored group changed its focus in March to prioritise intelligence collection around Western economies reeling from COVID-19 before resuming more conventional targeting later this year, Proofpoint researchers said.

The observed attack campaign involved spoofing WHO guidance on COVID-19 to target European diplomatic and legislative bodies, non-profit policy research organisations and global organisations involved in economic affairs.

The spoofed emails deliver a new malware family that researchers have dubbed “Sepulcher”, the same malware family used in a phishing campaign from July targeting Tibetan dissidents.

The malware, delivered through a weaponised RTF attachment named Covdi.rtf, also appears to share infrastructure with the LuckyCat malware used against Tibetan targets in 2012, further suggesting a link to AAPT TA413.

Sepulcher malware has seven work modes that include conducting reconnaissance on an infected host, spawning a reverse command shell, reading from file and writing to file, Proofpoint said.

The malware is also capable of more active functionalities like deleting directories and files, creating directories, moving file source to destination, spawning a shell to execute commands, terminating a process, restarting a service, changing a service start type and deleting a service.

“While the new Sepulcher malware is far from groundbreaking, its combination with timely social engineering lures masquerading as critical guidance from the WHO leveraged an urgent global crisis to entice victims,” Proofpoint Senior Threat Research Engineer Michael Raggi said in a blog post detailing the company’s findings.

“This campaign’s specific focus on European economic, diplomatic and legislative entities belies a possible momentary realignment for Chinese cyber espionage groups to collect information on global economies cast into upheaval as a result of COVID-19.

“However, in the case of TA413 that shift may have been short lived [as evidenced by] the re-emergence of well-known Tibetan themed sender addresses and graphically didactic PowerPoint attachments in July.”

Image credit: ©stock.adobe.com/au/Leo Lintang