The use of COVID19 related lures is already perceived as common practice among both financially motivated groups and state-sponsored cyber espionage units. Researchers released a report last week about another group that has been using COVID19 themed phishing emails for six months to deliver their new tool. Yes, we are talking about the Chinese APT group known as TA413, which specializes in economic espionage campaigns targeted at non-profit policy research organizations, European diplomatic and legislative bodies, and global organizations dealing with economic affairs.
Adversaries use custom malware dubbed Sepulcher, and so far this is the only threat actor that uses it, but given the widespread practice among Chinese groups to share their tools, after the publication of the report, this malware may appear in other APT groups’ arsenal as well. Sepulcher is a Remote Access Trojan that is capable of carrying out reconnaissance: obtaining information about the drives, file information, directory statistics, directory paths, directory content, running processes and services. It also can create directories, delete directories and files, spawn a shell to execute commands, terminate a process, and more.
The threat hunting rule released by Osman Demir detects TA413 malicious activities and Sepulcher malware used by the group in cyber espionage campaigns:
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Initial Access, Persistence, Privilege Escalation
Techniques: New Service (Е1050), Spearphishing Attachment (T1193)