Things are getting back to normal: Chinese hackers revert to bugging Tibetans after brief Euro campaign

Malware pathologists have noted a return to "business as usual" as groups associated with Chinese state interests turned their attentions back to Tibetan matters after a European dalliance earlier this year.

The global pandemic represented a golden opportunity for miscreants and, according to analysis from cybersecurity outfit Proofpoint, several noted Advanced Persistent Threat (APT) groups adopted COVID-19 phishing lures masquerading as World Health Organization (WHO) advice.

Back in March, a phishing campaign attempted to deliver the "Sepulcher" malware to various European institutions (including nonprofits and legislative bodies) with a sender email identified as being linked to historical Chinese APT targeting of the Tibetan community, Proofpoint said.

The malware itself was delivered via a weaponised .RTF attachment, impersonating a WHO document, and was delivered on 16 March. Executing the attachment began a sequence of events that left a malicious .WMF on disk. Firing up that file resulted in the delivery and installation of Sepulcher.

Sepulcher itself, described by researchers as "far from groundbreaking", can gather intelligence on the resources of the infected system, spawn a reverse CMD shell, and read from and write to file.

A second phishing campaign kicked off at the end of July, and attempted to deliver the same strain of malware to Tibetan dissidents. This time a malicious PowerPoint attachment was used, "conspicuously named 'TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx'," according to researchers.

The report's authors noted this campaign was "highly reminiscent" of another in January 2019. As well as the type and content of the PowerPoint, the sender email was the same, pointing to the APT actor TA413, according to Proofpoint.

The security firm said: "While it is not impossible for multiple APT groups to utilize a single operator account (sender address) against distinct targets in different campaigns, it is unlikely. It is further unlikely that this sender reuse after several years would occur twice in a four-month period between March and July, with both instances delivering the same Sepulcher malware family."

The evidence therefore points to an APT group best know for Tibetan campaigns being re-tasked to collect information from European organisations reeling from COVID-19 in March. TA413 then resumed "more conventional targeting" later in the year.

"Although the re-emergence of two publicly known sender accounts after multiple years is unusual, the use of a known sender account to target a new group of recipients in this case may represent an opsec failure resulting from a broader re-tasking of existing APT threat actors in response to an unprecedented global crisis," said the infoseccers. ®