China: Two separate campaigns were identified by researchers at Proofpoint that was attributed to the Chinese Advanced Persistent Threat (APT) known as TA413. The spear-phishing campaigns which were identified in March and July used a new Remote Access Trojan (RAT) that was dubbed Sepulcher. The attack in March was against the World Health Organization. During that period, many Chinese threat actors shifted their focus to stealing COVID-19 research. The second attack in July targeted Tibetan dissidents, which is the standard target for TA413. Researchers at Proofpoint managed to link the attacks to the APT through the sender email address that what used. The Sepulcher malware is considered a basic RAT and its main functions are for reconnaissance activity. The RAT is also able to do more active functions such as creating directories, moving file source to destination, spawning a shell to execute commands, terminating a process, restarting a service, changing a service start type, and deleting a service.
Analyst Notes
TA413 typically targets Tibetan dissidents as they did in their July attack, but the urgency of research about COVID-19 forced the group to shift targets in March. Researchers stated that there is nothing special that they have witnessed about the RAT. With the initial attack beginning through a spear-phishing email, defenders should have the proper filtering in place for their email systems. Training for employees on how to identify phishing emails that are targeting them is still an important part of defense. Monitoring workstations and servers for unusual or suspicious program behavior is also very important, in case employees are tricked into opening malicious attachments that make it through email filters.
More can read here: https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/
