Guide de survie contre les ransomwares - Protection contre les menaces

Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages

In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. To date, Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. 

Below are recent lure examples, message volume, geo targeting, and payload details. While lures are customized for various geographies and impersonate individuals associated with the spoofed entities, no vertical targeting has been observed. This actor typically delivers malware via malicious attachments, though URLs linking to malicious files were used as a delivery mechanism in early campaigns. TA2719 often relies on widely available resources, such as commodity malware and free hosting providers, to execute their campaigns.  

 

Lures 

Most lures observed appear to be from a real person with a connection to the spoofed organization. Even details like the street address in the alleged sender’s signature are often accurate. Combined with the branding, these details attempt to boost legitimacy of the message. They could still appear legitimate to an intended recipient who chooses to search for the sender’s name or address before opening the attached file or clicking a link in the message. 

Campaigns observed during March-May 2020 were primarily law enforcement-themed. Using local languages and logos from local law enforcement agencies, the subject lines often attempted to create urgency by claiming, “ข้อความด่วนจากสำนักงานตำรวจแห่งชาติ (Urgent message from the Royal Thai Police),” or “Последната полициска покана пред апсењето (The last police invitation before the arrest)” (Figures 1, 2). 
 
Figure 1 Thai Police Email Lure
Figure 1: Email lure spoofing Royal Thai Police 

 

Figure 2 North Macedonian Police Email Lure
Figure 2: Email lure impersonating the Police of North Macedonia, appearing to come from the State Secretary of the North Macedonian Ministry of Internal Affairs 

 

In addition to law enforcement-themed lures, some messages sent during this time spoofed shipping notifications. One early campaign also preyed on COVID-19 fears and impersonated the Taiwan Centers for Disease Control (Figure 3). This campaign was notable not only because of the theme, but also because it leveraged both URLs and attachments to deliver the payload. Typically, TA2719 uses attachments or URLs, but rarely a mix of both in a single campaign.  
 

Figure 3 CDC Email Lure
Figure 3: Email lure impersonating the Taiwan Centers for Disease Control and appearing to be from its director, Jih-Haw Chou 

 

In early June 2020, Proofpoint observed a shift away from law enforcement lures as TA2719 began to use more common bank, shipping, and purchase order lures (Figures 4, 5). 

Figure 4 SEB Email Lure
Figure 4: Swedish email lure impersonating SEB, with subject, “incoming payment notification from a third party bank” 

 

Figure 5 Orascom Trading Email Lure
Figure 5: Email lure with fraudulent purchase order from Orascom Trading 

 

Lures continued to be bank-themed in late June, with subjects like, “Εισερχόμενη επιταγή πληρωμής (Incoming payment notification)” (Figure 6). 

Figure 6 Attica Bank Email Lure
Figure 6: Email lure impersonating a Greek bank 

 

As of mid-July, TA2719 shifted to exclusively using package delivery lures, impersonating shipping companies and using subject lines like, “Your parcel from Mrs. Garn has arrived at our office,” or “您从中国寄来的包裹已经到了我们办公室(陈先生的包裹)”(The package you sent from China has arrived at our office (Mr. Chen's package)” (Figure 7). 

Figure 7 DHL Email Lure
Figure 7: Email lure with fraudulent package notification 

 

Volume 

Campaign message volume has been relatively low, with a few dozen or few hundred messages per campaign. Total monthly message volume peaked in May but has since returned to levels closer to those observed in March and April. Since late March, Proofpoint has observed several TA2719 campaigns per month. The message volume spike in May was driven by fewer campaigns with over 2,000 messages each, rather than multiple smaller campaigns seen in other months.  

Smaller graph of message volume by month

 

 
Targeting 

Though the campaigns don’t appear to have any vertical targeting, they are carefully crafted for specific regions. Various languages and references to legitimate local entities, such as banks or law enforcement organizations, have been observed: 

Country 

Language 

Lure Themes Observed 

Austria 

German 

Police 

Chile 

Spanish 

Shipping 

Greece 

Greek 

Police, banking 

Hungary 

Hungarian 

Police, banking 

Italy 

Italian 

Police 

Netherlands 

Dutch 

Police 

North Macedonia 

Macedonian 

Police, shipping 

Singapore 

English 

Police 

Spain 

Spanish 

Police, shipping 

Sweden 

Swedish 

Police, banking 

Taiwan 

Chinese 

CDC, shipping 

Thailand 

Thai 

Police 

Uruguay 

Spanish 

Police 

United States 

English 

Shipping 

Intended recipients often have easily searchable profiles online, and TA2719 also sends to role-based email addresses. This suggests that there is little targeting at the individual recipient level, but that the recipient lists may be more opportunistic in nature and compiled using basic OSINT techniques. 
 

Delivery and Payload 

From March to early July, NanoCore was distributed primarily through emailed ISO file attachments. Several campaigns instead used URLs linking to malicious ISO files. Finally, sometimes the actor attempted to deliver a mix of attachments and URLs in the same email. When using URLs, ISO files were hosted on compromised sites or file hosting services.  

In mid-July, the actor pivoted from distributing NanoCore to AsyncRAT, another commodity RAT. Like NanoCore, AsyncRAT has been advertised on forums and as of May 2020, appears to still be under active development with new features released May 10, 2020.  

Across all campaigns observed by Proofpoint, the ISO files had a generic name, such as ‘Document.iso’ or ‘pdf.iso’. Once the user opens the ISO–which opens like any other folder on the computer–they then must double click the malware executable file inside to run it. 

The C&C hostnames and IPs used by TA2719 appear to be relatively stable, changing roughly once per month. This actor sometimes uses free dynamic DNS (DDNS) providers for their C&C. 

 

Conclusion 

While not the most advanced lures we’ve seen, the localization and inclusion of legitimate street addresses and names of real individuals related to the spoofed entities demonstrate this actor’s attention to detail. Though TA2719 does not appear to target any particular industry, they tailor their messages to various geographies and send medium-volume campaigns several times per month. Their use of free DDNS providers, reuse of infrastructure, and reliance on commodity malware demonstrate the ease with which threat actors can begin and maintain an operation.  

  

IOCs 

NanoCore  
Attachment SHA256: 6489bbcdd9e0588d6e4ee63e5f66346e7d690ac3b7ee5249436fb1db8abc6453 
Malware SHA256:  1b93790c002d5216822277c6b8abb36dfd5daf9ebc14553135c992f64f8d949e 
C&Cs: 172.111.188[.]199, megaida123.ddns.net 

AsyncRAT 
Attachment SHA256: 161eaa18e31aec64433158da81eea99e518659e06ed36e2052508a7cbeb688c6 
Malware SHA256:  bcc0be90110b3b960230a366f1be67904704f87645ff5fde69536432d73feace 
C&C: 194.5.98[.]8 

 

ET + ETPRO Signatures 

NanoCore: 
ETPRO MALWARE NanoCore RAT Keep-Alive Beacon - 2816718 

AsyncRAT: 
ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT Server) - 2836595 
 

Additional References 

Vendetta-new threat actor from Europe 

Fake emails in the name of the Spanish national police