Proofpoint researchers link TA416 to ongoing European-targeted campaigns using web bugs to profile victims before delivering PlugX payloads, with recent activity showing updates to the PlugX variant and its delivery chain. The operator impersonates diplomatic entities via SMTP2Go and relies on DLL search order hijacking, base64 encoding, and RC4-encrypted C2 communications, signaling a continued refinement of TA416’s toolkit amid geopolitical tensions. #TA416 #PlugX #RedDelta #SMTP2Go #EuropeanDiplomaticEntities #UN
Keypoints
- TA416, a China-aligned APT, is targeting European diplomatic entities, including personnel involved in refugee and migrant services.
- The campaigns use web bugs (tracking pixels) to profile recipients before sending malicious URLs that deliver PlugX payloads.
- There is a notable shift from broad phishing to more discerning targeting, with prior profiling ahead of malware delivery increasing campaign efficacy.
- TA416 has updated its PlugX variant, changing encoding methods and expanding configuration capabilities to enable more precise exfiltration and evasion.
- Delivery chains combine legitimate PE files (PotPlayer, FontEDL, etc.) used for DLL search order hijacking to install PlugX via a Trident Loader workflow.
- Impersonation of UN/Diplomatic entities via SMTP2Go and decoy documents (PDF/ZIP) are frequently used in spearphishing campaigns.
- PlugX communications to C2 use RC4 encryption with dynamic keys and HTTP-based channels, alongside obfuscation and runtime API resolution to hinder analysis.
MITRE Techniques
- [T1566.002] Spearphishing Link – TA416 uses web bug URLs and malicious delivery links embedded in emails to profile targets before malware delivery. Quote: “…web bugs to profile the victims before sending a variety of PlugX malware payloads via malicious URLs.”
- [T1105] Ingress Tool Transfer – The dropper retrieves Trident Loader components and PlugX payloads from actor-controlled resources. Quote: “the dropper… initiates the download of four components.”
- [T1574.001] DLL Search Order Hijacking – The infection chain uses legitimate PE files to trigger DLL search order hijacking and load PlugX DLLs (PotPlayer.exe, FontEDL.exe, DocConvDll.dll, etc.). Quote: “DLL Search Order Hijacking that displays a PDF decoy.”
- [T1071.001] Web Protocols – TA416’s PlugX traffic uses HTTP-based C2 communications (e.g., “The January 2022 version… communicates with the C2 server” and “PlugX malware communicated with the C2 server 92.118.188[.]78 over port 187″).
- [T1027] Obfuscated/Compressed Files and Information – The PlugX variant and its payloads employ obfuscation, runtime API hashing, and XOR state machine-based control flow to hinder analysis. Quote: “The latest version contains obfuscation to thwart analysis.”
- [T1132.001] Data Encoding – Base64 encoding is used to encode target emails within web bug resources. Quote: “base64 encoded values of the entire email address.”
Indicators of Compromise
- [URL] Malicious Delivery URL – 45.154.14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.zip, and various Dropbox URLs delivering ZIPs/PDFs with PlugX payloads
- [IP] Actor-Controlled IP – 103.107.104.19, 92.118.188[.]78, 69.90.184[.]125, 45.154.14[.]235
- [Domain] Actor-Controlled Domain – www.zyber-i[.]com, upespr[.]com
- [File] Executable File – PotPlayer.exe, FontEDL.exe, PotPlayer.dll, DocConvDll.dll
- [File] DLL Loader – PotPlayer.dll, DocConvDll.dll, FontEDL.exe (DLL Loader variants)
- [File] DAT/Payload – PotPlayerDB.dat, FontLog.dat (PlugX payload/configuration)
- [Hash] File Hash – 6fd9d745faa77a58ac84a5a1ef360c7fc1e23b32d49ca9c3554a1edc4d761885 (Malicious PE Dropper)
- [Archive] ZIP/Archive – State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.zip