Chinese hackers use new Atlas RAT malware in European cyberattack

A Chinese-speaking cyber crime group has expanded its focus to the European region, using previously undocumented malware and the Atlas backdoor.

Tracked as TA4922, the threat actor is associated with financially motivated attacks aimed at breaching targeted networks for fraud, data theft, and access selling.

TA4922 previously targeted organizations in East Asia, but recent campaigns have focused on businesses in Germany, Italy, the United Kingdom and South Africa.

Researchers at cybersecurity firm Proofpoint note that TA4922 shares overlap with previously reported activity such as ‘Silver Fox’ and ‘Void Arachne. However, the group of work is tracked separately as it is more related to cybercrime than espionage.

Since March, the activity of TA4922 has increased significantly, and since April, it has shown unprecedented diversity and high speed.

“TA4922 is currently conducting more diverse campaigns than any other cyber threat actor tracked in Proofpoint’s threat data, demonstrating a high level of performance, versatility, and versatility,” Proofpoint said in a report today.

“While the actor is assessed as financially motivated, the malware’s capabilities include surveillance capabilities, which can be used or sold to espionage groups.”

The attacker uses phishing techniques designed to appear as payment notices, tax audits, VAT filings, government compliance notices, invoices, and labor communications.

The threat group also tries to contact victims via WhatsApp, LINE messenger, and Microsoft Groups.

Atlas RAT and custom loaders

Proofpoint reports that TA4922 has greatly expanded its malware repository and believes that hackers may be using large language models (LLMs) to speed up malware development.

This conclusion is based on the presence of wildcard values, code comments, and patterns commonly associated with AI-generated code.

The Proofpoint report highlights Atlas RAT, a newly identified remote trojan that gives attackers the following capabilities:

• System testing
• Targeted file theft
• Plugins and paid downloads
• Keylogging
• Taking a screenshot
• Audio recording and web cam
• System shutdown/reboot commands

The malware includes multiple sandbox protection and anti-analysis checks, including looking for usernames and registry keys related to Microsoft Defender Application Guard, the “CExecSvc” service, and the OS UUID.

The researchers also discovered a new malware loader called RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution.

RomulusLoader was installed to launch official remote control tools such as AnyDesk and SyncFuture, a popular remote monitoring software tool in China. Ironically, the latter was used in attacks targeting German businesses.

Proofpoint also identified a Python-based loader and hacker called SilentRunLoader, which steals from Google Chrome authentication, cookies, and browsing data.

That malware was used against organizations in the United Kingdom and Southeast Asia, using threads that impersonate government services.

Finally, the researchers saw the deployment of Winos4.0, a malware family previously labeled by Proofpoint as ValleyRAT and providing operators with a full set of remote access features.

According to Proofpoint, TA4922 is responsible for “more diverse campaigns” than any other threat actor the company tracks. The group moves quickly and uses many lures.

According to the researchers, the malware used by this actor has “surveillance potential that can be used or sold to espionage groups.”

The Proofpoint report includes indications of vulnerabilities in the malware and command and control (C2) infrastructure used in the TA4922 attack.