Security News > 2022 > March > China APT group using Russia invasion, COVID-19 in phishing attacks
A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions.
The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda - a Chinese APT unit also known as TA416, RedDelta and PKPLUG - due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET. Mustang Panda is known for targeting governmental entities and non-governmental organizations, with most of its victims being in East and Southeast Asia.
The decoy documents used as phishing lures by Mustang Panda for Hodur not only refer to current events occurring in Europe but also are frequently updated, the researchers wrote.
Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group - which they call TA146 - is part of a larger trend among cybercriminals to profit off the fallout from Russia's war against Ukraine.
The threat group often uses custom loaders for shared malware - such as Cobalt Strike, Poison Ivy and Korplug - in its campaigns.
"Korplug is a RAT used by multiple APT groups," ESET researchers wrote.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/28/mustang-panda-korplug-variant/
Related news
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- US proposes ban on connected vehicle tech from China, Russia (source)
- Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian (source)
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- Evil Corp's deep ties with Russia and NATO member attacks exposed (source)
- GoldenJackal APT group breaches air-gapped systems in Europe (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)
- China again claims Volt Typhoon cyber-attack crew was invented by the US to discredit it (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack (source)