Security News > 2022 > March > China APT group using Russia invasion, COVID-19 in phishing attacks
A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions.
The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda - a Chinese APT unit also known as TA416, RedDelta and PKPLUG - due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET. Mustang Panda is known for targeting governmental entities and non-governmental organizations, with most of its victims being in East and Southeast Asia.
The decoy documents used as phishing lures by Mustang Panda for Hodur not only refer to current events occurring in Europe but also are frequently updated, the researchers wrote.
Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group - which they call TA146 - is part of a larger trend among cybercriminals to profit off the fallout from Russia's war against Ukraine.
The threat group often uses custom loaders for shared malware - such as Cobalt Strike, Poison Ivy and Korplug - in its campaigns.
"Korplug is a RAT used by multiple APT groups," ESET researchers wrote.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/28/mustang-panda-korplug-variant/
Related news
- New APT Group 'Lotus Bane' Behind Recent Attacks on Vietnam's Financial Entities (source)
- OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things (source)
- European retailer Pepco loses €15.5 million in phishing (possibly BEC?) attack (source)
- Need to Know: Key Takeaways from the Latest Phishing Attacks (source)
- New executive order bans mass sale of personal data to China, Russia (source)
- Vishing, smishing, and phishing attacks skyrocket 1,265% post-ChatGPT (source)
- Hackers target FCC, crypto firms in advanced Okta phishing attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Flipper Zero WiFi phishing attack can unlock and steal Tesla cars (source)
- MiTM phishing attack can let attackers unlock and steal a Tesla (source)