Unveiling the New Wave of Cyberattacks: Chinese Hackers Deploy Atlas RAT Malware in Europe

A cybercriminal group proficient in Chinese has widened its scope to target European entities by employing previously undisclosed malware and the Atlas backdoor.

Known as TA4922, this threat actor is linked to financially-driven assaults that aim to infiltrate network systems for fraudulent activities, data exfiltration, and selling unauthorized access.

While TA4922 has historically focused on organizations in East Asia, recent endeavors have shifted towards targeting institutions in Germany, Italy, the United Kingdom, and South Africa.

Experts at cybersecurity firm Proofpoint have observed that TA4922 exhibits similarities with activities previously attributed to ‘Silver Fox’ and ‘Void Arachne. However, this specific cluster of activities is tracked separately due to its alignment with cybercrime rather than espionage.

Recently, TA4922’s operations have notably intensified, showcasing unprecedented versatility and a rapid pace since March.

“TA4922 is currently executing a higher number of distinct campaigns compared to any other known cybercrime threat actor in our threat data, illustrating a high operational tempo, a range of bait techniques, and multiple objectives,” as stated in Proofpoint’s latest report.

“While the actor is primarily driven by financial motives, the malware’s functionalities suggest potential surveillance capabilities, which could be utilized by or sold to espionage groups.”

The attackers utilize localized phishing baits designed to mimic payroll notifications, tax audits, VAT submissions, government compliance alerts, invoices, and human resources communications.

In addition, the threat group attempts to engage victims through WhatsApp, LINE messenger, and Microsoft Teams.

Insights on Atlas RAT and Custom Loaders

Proofpoint’s findings reveal that TA4922 has significantly expanded its arsenal of malware, suggesting that the hackers may be leveraging large language models (LLMs) to expedite malware development.

This hypothesis stems from the identification of placeholder values, code annotations, and patterns commonly associated with AI-generated code.

Proofpoint’s report sheds light on Atlas RAT, a recently discovered remote access trojan that equips attackers with the following functionalities:

• System reconnaissance
• Targeted file theft
• Plugin and payload downloads
• Keylogging
• Screenshot capturing
• Audio and webcam recording
• System shutdown/reboot commands

The malware incorporates several anti-sandbox and anti-analysis checks, including the detection of usernames and registry keys linked to Microsoft Defender Application Guard, the “CExecSvc” service, and OS UUID.

Furthermore, researchers have uncovered a new malware loader named RomulusLoader, which fetches and executes additional payloads through process hollowing, shellcode injection, and direct execution.

RomulusLoader was deployed to launch legitimate remote management tools such as AnyDesk and SyncFuture, a remote monitoring software tool well-known in China. Notably, the latter was utilized in attacks targeting German entities.

Additionally, Proofpoint identified a Python-based loader and data thief known as SilentRunLoader, designed to harvest Google Chrome credentials, cookies, and browsing data.

This malware was deployed against organizations in the United Kingdom and Southeast Asia, using baits impersonating government services.

Lastly, the researchers detected the deployment of Winos4.0, a previously documented malware strain referred to as ValleyRAT by Proofpoint, which provides operators with an array of remote access functionalities.

According to Proofpoint, TA4922 leads in executing “more unique campaigns” than any other threat actor tracked by the company. The group operates swiftly and employs diverse bait tactics.

According to the findings, the malware utilized by this threat actor possesses surveillance potential that could be exploited by or sold to espionage groups.

Proofpoint’s report includes indicators of compromise related to the malware and command-and-control (C2) infrastructure employed in TA4922’s attacks.