Chinese hackers use new Atlas RAT malware in European cyber attack

A Chinese language-speaking cybercriminal group expanded its focusing on to European areas and deployed beforehand undocumented malware and Atlas backdoors.

This menace actor, tracked as TA4922, is related to financially motivated assaults aimed toward infiltrating goal networks for fraud, knowledge theft, and promoting entry.

TA4922 has historically focused organizations in East Asia, however current campaigns have centered on organizations in Germany, Italy, the UK, and South Africa.

Researchers at cybersecurity agency Proofpoint observe that the TA4922 pressure overlaps with exercise beforehand reported as “Silver Fox” and “Void Arachne.” Nonetheless, exercise clusters are extra in keeping with cybercrime than espionage and are due to this fact tracked individually.

Since March, TA4922’s exercise has elevated quickly, and since April it has proven unprecedented operational variety and excessive tempo.

“TA4922 is presently conducting extra distinctive campaigns than some other cybercrime actor tracked in Proofpoint menace knowledge, demonstrating a excessive operational tempo, various temptations, and a number of targets,” Proofpoint mentioned in right now’s report.

“Though the attackers are assessed to be financially motivated, the malware’s performance consists of surveillance potential and may very well be used or bought by espionage teams.”

Attackers use localized phishing lures disguised as payroll notifications, tax audits, VAT returns, authorities compliance notices, invoices, HR communications, and so forth.

The menace group additionally makes an attempt to contact victims by means of WhatsApp, LINE Messenger, and Microsoft Groups.

Atlas RAT and customized loaders

Proofpoint studies that TA4922 considerably expands the malware arsenal and believes hackers could also be utilizing large-scale language fashions (LLMs) to speed up malware growth.

This conclusion is predicated on the presence of placeholder values, code feedback, and patterns generally related to AI-generated code.

Proofpoint’s report focuses on Atlas RAT, a lately recognized distant entry Trojan that gives attackers with the next capabilities:

• system reconnaissance
• Focused file theft
• Obtain plugins and payloads
• keylogging
• Capturing a screenshot
• Audio and webcam recording
• System shutdown/restart command

The malware options a number of anti-sandbox and anti-analysis checks, together with Microsoft Defender Software Guard, the ‘CExecSvc’ service, and trying to find usernames and registry keys related to OS UUIDs.

Researchers additionally found a brand new malware loader named RomulusLoader. This loader makes use of course of hollowing, shellcode injection, and direct execution to obtain and execute extra payloads.

RomulusLoader was launched to launch respectable distant administration instruments resembling AnyDesk and SyncFuture, a preferred distant monitoring software program device in China. Oddly sufficient, the latter was utilized in assaults focusing on German entities.

Proofpoint additionally recognized a Python-based loader and data stealer referred to as SilentRunLoader that steals Google Chrome credentials, cookies, and shopping knowledge.

The malware was deployed towards organizations within the UK and Southeast Asia utilizing decoys impersonating authorities providers.

Lastly, researchers found the deployment of Winos4.0. Winos4.0 is a beforehand documented malware household tracked by Proofpoint as ValleyRAT that gives operators with an entire set of distant entry capabilities.

Proofpoint mentioned TA4922 is working “extra distinctive campaigns” than different menace actors it tracks. Teams transfer rapidly and use a number of lures.

Researchers mentioned the malware utilized by the attackers has “surveillance potential that may very well be utilized by or bought to espionage teams.”

Proofpoint’s report consists of indicators of compromise of the malware and command-and-control (C2) infrastructure used within the TA4922 assault.