A Chinese-speaking cybercrime group, tracked as TA4922, has expanded its targeting to Europe. The threat actor is associated with financially motivated attacks aimed at breaching target networks for fraud, data theft, and the sale of access.
TA4922 has previously targeted organizations in East Asia but recent campaigns have focused on entities in Germany, Italy, the United Kingdom, and South Africa. Researchers at cybersecurity company Proofpoint note that TA4922 shares overlaps with activity previously reported as ‘Silver Fox’ and ‘Void Arachne’. However, the activity cluster is tracked separately as it is more consistent with cybercrime than espionage.
Rapid Expansion of Malware Arsenal
Since March, TA4922’s activity has increased sharply, and since April, it has shown unprecedented operational diversity and high tempo. “TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today.
New Malware and Tactics
The attacker uses localized phishing lures crafted to appear as payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human resources communications. The threat group also attempts to contact victims via WhatsApp, the LINE messenger, and Microsoft Teams. Proofpoint reports that TA4922 has significantly expanded its malware arsenal and believes the hackers may be using large language models (LLMs) to accelerate malware development.
Atlas RAT and Other Malware
The researchers discovered a new remote access trojan called Atlas RAT, which offers attackers the following capabilities:
* Remote access to compromised systems
* File management and transfer
* System information gathering
* Keylogging
The malware features several anti-sandbox and anti-analysis checks, including looking for usernames and registry keys associated with Microsoft Defender Application Guard, the “CExecSvc” service, and OS UUID.
Other Malware Deployed by TA4922
Proofpoint also identified a new malware loader named RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution. RomulusLoader was deployed to launch legitimate remote management tools such as AnyDesk and SyncFuture, a remote monitoring software tool popular in China.
Additionally, the researchers spotted the deployment of SilentRunLoader, a Python-based loader and information stealer that steals from Google Chrome credentials, cookies, and browsing data. That malware was deployed against organizations in the United Kingdom and Southeast Asia, using lures that impersonated government services.
Conclusion
TA4922 is responsible for “more unique campaigns” than any other threat actor Proofpoint tracks. The group is moving quickly and uses multiple lures. According to the researchers, the capabilities of the malware used by this actor have “the potential for surveillance which could be used by or sold to espionage groups.”
Source: Original article