SYMBOLCOMMON_NAMEaka. SYNONYMS

TA413  (Back to overview)


Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.


Associated Families
apk.luckycat win.exilerat win.sepulcher

References
2020-09-02ProofpointProofpoint
@online{proofpoint:20200902:chinese:823d99c, author = {Proofpoint}, title = {{Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe}}, date = {2020-09-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic}, language = {English}, urldate = {2020-09-02} } Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe
Sepulcher TA413
2019-02-04CiscoWarren Mercer, Paul Rascagnères, Jaeson Schultz
@online{mercer:20190204:exilerat:1f7c57c, author = {Warren Mercer and Paul Rascagnères and Jaeson Schultz}, title = {{ExileRAT shares C2 with LuckyCat, targets Tibet}}, date = {2019-02-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html}, language = {English}, urldate = {2020-01-07} } ExileRAT shares C2 with LuckyCat, targets Tibet
LuckyCat Exile RAT

Credits: MISP Project