TA459

Description

(Proofpoint) On April 20 [2017], Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries. These analysts were linked by their coverage of the telecommunications industry, making this targeting very similar to, and likely a continuation of, activity described in our “In Pursuit of Optical Fibers and Troop Intel” blog. This time, however, attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT).

Proofpoint is tracking this attacker, believed to operate out of China, as TA459. The actor typically targets Central Asian countries, Russia, Belarus, Mongolia, and others. TA549 possesses a diverse malware arsenal including PlugX, NetTraveler, and ZeroT.

Names

Name	Name-Giver
TA459	Proofpoint

Country

China

Motivation

Information theft and espionage

First Seen

2017

Observed Sectors

Observed Countries

Tools

Operations

2022-04: Tracing State-Aligned Activity Targeting Journalists, Media https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

Information

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

Mitre Attack

https://attack.mitre.org/groups/G0062/

Other Information

Uuid

da14ab64-16ed-4d61-93a7-69cf3f06115d

Last Card Change

2022-07-20

Threat Intelligence Garden

Explorer

TA459

TA459

Description

Names

Country

Motivation

First Seen

Observed Sectors

Observed Countries

Tools

Operations

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks