Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China’s Hacking of European Diplomats Aligns With Russia-Ukraine Conflict

In an ongoing campaign aligned with the current war in Ukraine, Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.

In an ongoing campaign aligned with the current war in Ukraine, Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.

Also known as RedDelta and TA416, the group was previously observed targeting entities connected to the Vatican – Chinese Communist Party diplomatic relations, as well as telecommunications companies in Asia, Europe, and the United States.

Believed to be operating on behalf of the Chinese government, Mustang Panda has been using ‘web bugs’ to perform reconnaissance operations, which suggests the group “is being more discerning about which targets the group chooses to deliver malware payloads,” Proofpoint says.

The web bug technique involves embedding within the body of the phishing email a hyperlinked non-visible object that attempts to retrieve an image from a remote server, and which confirms to the attackers that the victim is using the targeted email account.

Starting November 2021, Mustang Panda has been employing this method in campaigns targeting European diplomatic entities, with the activity aligned with the escalating tensions between Russia and Ukraine.

[ READ: Hacked Ukrainian Military Emails Used in Attacks on European Governments ]

In attacks ongoing since January 2022, the group has been seen delivering web bugs alongside malware links and targeting European diplomats with phishing emails containing links to malicious Zip files hosted on Dropbox. If opened, the files eventually lead to the execution of PlugX on the victim’s machine.

On February 28, Mustang Panda started using a compromised email address belonging to a diplomat in a European NATO country to target diplomatic offices in another country. The targeted diplomat was associated with refugee and migrant services.

Advertisement. Scroll to continue reading.

Just as in previous campaigns, DLL search order hijacking is employed for PlugX deployment, but in recent attacks the threat actor switched to using potplayermini.exe to initiate the hijacking operation. Furthermore, the attackers updated their malware’s encoding method and also expanded its configuration capabilities.

The observed changes include various obfuscation and anti-analysis techniques and three new configuration fields, and show that the malware is undergoing additional development, Proofpoint says. The command and control (C&C) communication method was also modified, both in January and February.

“In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads,” Proofpoint notes.

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor

Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage

Related: Chinese Hackers Target Financial Institutions in Taiwan With Custom Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...