TA428 Targets Government IT Agencies
A threat group dubbed TA428 has been targeting government agencies in East Asia since early 2019 to deliver customised malware for espionage purposes. The campaign known as Operation LagTime IT uses spear phishing email with an RTF attachment containing the MS Office Equation Editor exploit (CVE-2018-0798) to deliver the Cotx Remote Access Tool (RAT). Cotx RAT establishes persistence and acts as a Command and Control (C&C) beacon for the attacker to deliver the Poison Ivy malware via a command shell. Operation LagTime IT is likely a continuation of targeted activity by APT actors aligned with Chinese state interests. This operation may seek to satisfy espionage and intelligence requirements to further China’s strategic interest in the telecommunication and transportation industry.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services