skip to Main Content

Cyber Espionage, Chinese APT TA413 spreads a new RAT: Sepulcher

Proofpoint: Chinese APT TA413 is spreading a new RAT dubbed Sepulcher. The malware has been distributed in two different campaigns. One that targeted numerous organisations in Eu. The other, was against the Tibetan dissidents

Chinese APT TA413 is spreading a new RAT dubbed Sepulcher. It has been discovered by Proofpoint cyber security experts. The state sponsored hackers exploit a spear phishing campaign to distribute the malware. In past six months there have been two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, was against the Tibetan dissidents. In the latter half of March 2020, researchers identified a malicious email sent to numerous entities involved with economic policy and forecasting within Europe. The message contained a weaponized RTF attachment that impersonated the WHO’s “Critical preparedness, readiness and response actions for COVID-19, Interim guidance” document. When it is executed, it installs an embedded malicious RTF object in the form of a Windows meta-file (WMF), that ultimately results in the delivery and installation of Sepulcher.

How the Tibetan dissidents campaign worked

According the cyber security experts, a subsequent email campaign delivering this malware was identified on July 27, 2020. The email included a malicious PowerPoint (PPSX) attachment conspicuously named “TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx”. The SMTP header From field impersonated the “Women’s Association Tibetan,” while the attachment, once opened, referenced “Tibet, Activism and Information”. When the PowerPoint attachment is executed, it calls out to the IP 118.99.13[.]4 to download a Sepulcher malware payload named “file.dll”. Additionally, the distinct C2 request hxxp://118.99.13[.]4:1234/qqqzqa that occurs at that time has been seen previously in association with Chinese APT TA413 malware campaigns. Upon the delivery of the payload “file.dll” it is saved as “credential.dll” and executed resulting in a C2 communication with the domain Dalailamatrustindia.ddns[.]net.

The capabilities of the malware according the cyber security experts

Sepulcher malware has seven work modes that include conducting reconnaissance on an infected host, spawning a reverse command shell, reading from file, and writing to file. More granularly, additional commands exist within the intelligence gathering/reconnaissance work modes (1002, 1003, 1004) which carry out reconnaissance functionality within the infected host. These include obtaining information about the drives, file information, directory statistics, directory paths, directory content, running processes, and services. Additionally, it is capable of more active functionalities like deleting directories and files, creating directories, moving file source to destination, spawning a shell to execute commands, terminating a process, restarting a service, changing a service start type, and deleting a service.

Back To Top