Security News > 2020 > November > TA416 APT Rebounds With New PlugX Malware Variant

The TA416 advanced persistent threat actor is back with a vengeance: After a month of inactivity, the group was spotted launching spear-phishing attacks with a never-before-seen Golang variant of its PlugX malware loader.

In further analysis of these attacks, researchers found the group had updated its toolset - specifically, giving its PlugX malware variant a facelift.

While some of these campaigns were previously reported on, further investigation into the attacks revealed a brand new variant of TA416's PlugX malware loader.

Researchers said, the initial delivery vector for these RAR archives could not be identified, "However, historically TA416 has been observed including Google Drive and Dropbox URLs within phishing emails that deliver archives containing PlugX malware and related components," they said.

The file reads, loads, decrypts and executes the PlugX malware payload. The PlugX malware then ultimately calls out to the command and control server IP, 45.248.87[.]162. Researchers said that continued activity by TA416 demonstrates a persistent adversary making continual changes to documented toolsets.

News URL

https://threatpost.com/ta416-apt-plugx-malware-variant/161505/