Security News > 2022 > March > China APT group using Russia invasion, COVID-19 in phishing attacks

A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions.

The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda - a Chinese APT unit also known as TA416, RedDelta and PKPLUG - due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET. Mustang Panda is known for targeting governmental entities and non-governmental organizations, with most of its victims being in East and Southeast Asia.

The decoy documents used as phishing lures by Mustang Panda for Hodur not only refer to current events occurring in Europe but also are frequently updated, the researchers wrote.

Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group - which they call TA146 - is part of a larger trend among cybercriminals to profit off the fallout from Russia's war against Ukraine.

The threat group often uses custom loaders for shared malware - such as Cobalt Strike, Poison Ivy and Korplug - in its campaigns.

"Korplug is a RAT used by multiple APT groups," ESET researchers wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/28/mustang-panda-korplug-variant/