Surge In PlugX Malware Use Points Towards Chinese Nation-State Activity
Taiwan was buffeted during April by a three day surge in malicious emails that increased to four times the usual amount, a reflection of increased tensions in the Taiwan Strait, say threat analysts.
The surge came on the heels of a January spike in extortion emails aimed at Taipei government officials that peaked at 30 times the normal count, says Trellix.
The threat intelligence firm doesn’t definitively tie the activity to Chinese state threat groups but says the wider context of renewed Beijing-induced tensions with its island-neighbor are inescapable. “Geopolitical conflicts are one of the main drivers for cyber-attacks on a variety of industries and institutions,” said Joseph Tal, a Trellix senior vice president.
The April wave of malicious emails, designed to make recipients click on malicious links and attachments, were sent by fraudsters impersonating law firms, vendors, and suppliers. The bait included fake payment overdue notifications and purchase orders.
Fraudsters also spoofed major brands’ login pages and targeted company specific pages to harvest credentials. Following the malicious email wave, Trellix observed a fifteen-fold increase between April 10 and April 12 in PlugX infections. The U.S. federal government has linked the remote access tool to threat actors associated with the Chinese Ministry of State Security. Cybersecurity company Secureworks in 2022 spotted the Chinese state threat group known as Bronze President, also tracked as Mustang Panda, using an updated variant of PlugX in attacks aimed at Russian government officials (see: China Spies on Russians; Microsoft Details Ukraine Attacks).
Trellix said it also observed threat actors using Kryptik and Zmutzy malware families in attacks aimed at Taiwanese entities. Kryptik uses anti-emulation, anti-debugging, and code obfuscation to prevent analysis and Zmutzy is an info-stealer malware that collects credentials and other files from infected systems to enable its users to spy on victims.
A China-based hackvist group calling itself APT27_Attack claimed responsibility for most attacks, but Trellix researchers believed it to be a false-flag operation considering the group’s attack patterns significantly differed from APT27’s activities that are more clandestine.