Mongolia, Taiwan, Myanmar, Vietnam and Cambodia have been targeted by China-linked RedDelta threat to deliver a customized version of the PlugX backdoor between July 2023. until December 2024.
“The group used eye-catching documents on Taiwan’s 2024 presidential candidate Terry Gou, Vietnam’s national holidays, flood protection in Mongolia and invitations to meetings, including the Association of Southeast Asian Nations (ASEAN) meeting,” Insikt Group Recorded Future said in a new analysis.
The threat actor is believed to have compromised the Ministry of Defense of Mongolia in August 2024. and the Communist Party of Vietnam in November 2024. It is also alleged to have targeted various victims in Malaysia, Japan, the US, Ethiopia, Brazil, Australia and India between September and December 2024.
RedDelta, which has been operating since at least 2012, is a pseudonym assigned to a state-based threat actor from China. The cybersecurity community also tracks it under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Mustang Panda (and its closely related Dizzy panda), Red Lich, Stately Taurus, TA416 and Twill Typhoon.
The hacking team is known for constantly improving the infection chain recent attacks weaponization of Visual Studio Code tunnels as part of espionage operations targeting government entities in Southeast Asia, a tactic increasingly used by various China-linked espionage groups such as Operation Digital Eye. and MirrorFace.
The intrusion kit documented by Recorded Future involves the use of the Windows Shortcut (LNK), the Windows Installer (MSI), and the Microsoft Management Console (MSC) files that are likely distributed via phishing as a first-stage component that starts the chain of infection that eventually leads to deployment PlugX using DLL sideloading methods.
Separate campaigns organized late last year also relied on phishing emails containing a link to HTML files hosted on Microsoft Azure as a starting point to trigger the download of the MSC payload, which in turn disables the MSI installer. responsible for loading PlugX with a legitimate executable vulnerable to DLL search order hacking.
Another sign of evolving its tactics and staying ahead of its defenses was RedDelta’s use of Cloudflare’s Content Delivery Network (CDN) to proxy command and control (C2) traffic to attacker-controlled C2 servers. This is done to blend in with legitimate CDN traffic and make detection more difficult.
Recorded Future said it identified 10 administrative servers that interacted with the two known RedDelta C2 servers. All 10 IP addresses are registered with China Unicom of Henan Province.
“RedDelta’s operations are in line with China’s strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia and Europe,” the company said.
“The group’s targeting of Asia in 2023 and 2024 represents a return to the group’s historical focus following its 2022 attack on European entities. RedDelta’s targeting of Mongolia and Taiwan coincides with the group’s past targeting of groups seen as a threat to Chinese Communist Party rule. .”
Development takes place against the background of a the report from Bloomberg that recent cyber attack The attack on the US Treasury Department was carried out by a hacking group known as Silk Typhoon (aka Hafnius), which was previously attributed zero day operation of four security flaws in Microsoft Exchange Server (aka ProxyLogon) in early 2021.
