The Chinese state-sponsored APT group TA416 (aka Mustang Panda/Red Delta) has been found targeting European government agencies and diplomatic entities that deliver services for Ukrainian refugees and migrants who flee from Russian aggression. A detailed analysis shows that attackers primarily aim at conducting long-term cyber-espionage campaigns rather than chasing immediate gains.

The research conducted by Proofpoint highlights that attackers utilize web bugs to deliver a variety of PlugX malware strains. The situation escalates due to the fact that TA416 actors have recently upgraded PlugX to a more sophisticated malware version by changing how it encodes and adding new configuration capabilities. Hence, old detection content for this malware might not be sufficient.

TA416 PlugX Detection 

Security practitioners can find below the latest Sigma-based detection rule crafted by SOC Prime’s Threat Bounty developer Nattatorn Chuensangarun. This rule captures the new PlugX variants that have been recently identified by researchers as more advanced new malicious software leveraged by infamous Chinese phishing actors to target European allies. 

TA416 Utilize Web Bug to PlugX Targets European Governments

Log into your existing account or sign up for SOC Prime’s Detection as Code platform to access this detection in a range of the following formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, FireEye, Carbon Black, LogPoint, Graylog, Regex, Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys, and AWS OpenSearch.

This detection rule addresses MITRE ATT&CK® techniques and sub-techniques, such as Boot or Logon Autostart Execution (T1547) and User Execution: Malicious File (T1204.002).

To proactively defend your infrastructure, discover the world’s largest pool of detection content in the SOC Prime’s Detection as Code platform connecting skilled cybersecurity researchers and proficient content developers from across the globe. Striving to become a content contributor yourself? Join our Threat Bounty Program to submit your detection content and have a chance to get recurring rewards for your work.

View Detections Join Threat Bounty

TA416 Tactics Analysis

The most recent cyber-attack vector has been in line with the common adversary campaign of TA416/Red Delta APT collective they have been practicing since at least 2020. It all starts with phishing emails impersonating European diplomatic organizations. TA416 APT group has used SMTP2Go, a legitimate email marketing service, which allows them to alter the envelope sender field. Alternatively, TA416 threat actors also used compromised diplomats’ emails to deliver malware payloads to NATO officials at the end of February 2022, right after Russia invaded Ukraine.

A malicious URL embedded in an infected email initiates a download of an archive file with a malware dropper upon a click. This file, in turn, downloads four components:

• PlugX malware
• PlugX loader
• DLL process loader
• PDF decoy file

Cybersecurity researchers mention that Chinese threat actors use a variety of versions of initial loaders, as well as final payloads, and different communication routines. That’s why there might be a wide variety of IOCs, whereas TTPs correlated to TA416 are not much different from the ones they’ve been leveraging since 2020, which makes TA416 campaigns easier to detect.

To evolve threat detection capabilities faster and more efficiently, individual organizations can tap into the power of collaborative cyber defense and enrich their expertise with the industry’s best practices. Join SOC Prime’s Detection as Code platform, the world’s largest and most advanced platform for collaborative cyber defense, to stay ahead of emerging threats and  empower your SOC operations.