Google’s Threat Analysis Group (TAG) has provided some details about the tactics of the APT31 group linked to Chinese government, the same group that targeted, albeit unsuccessfully, the presidential campaign of former Vice President Joe Biden with a phishing attack in June this year.
While tracking APT31 activity the TAG researchers observed the group deploy targeted malware campaigns. In one instance, the hackers launched phishing attacks with emails containing links to a python-based malware hosted on GitHub that allowed the attackers to upload and download files on networks, as well as execute arbitrary commands. The implant was using Dropbox for command and control purposes.
“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” TAG said.
In another campaign the hackers have been impersonating anti-virus software from McAfee in order to install malicious code on the victim’s system.
The TAG team did not reveal who was affected by APT-31’s latest attacks, but they mentioned that they’ve “seen increased attention on the threats posed by APTs in the context of the U.S. election.”
Google has also warned of increase in attacks by North Korea groups against COVID-19 researchers and pharmaceutical companies.
“One campaign used URL shorteners and impersonated the target’s webmail portal in an attempt to harvest email credentials. In a separate campaign, attackers posed as recruiting professionals to lure targets into downloading malware,” the blog post said.