After several months of inactivity a Chinese threat actor, tracked as Mustang Panda, TA416 and RedDelta, has launched a new cyber espionage campaign aimed at entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party. The hackers paused their activity in July, after the security firm Recorded Future released a report detailing their operations.
Now, researchers at Proofpoint have spotted a new Mustang Panda’s campaign against targets involved in negotiations about the operations of the Catholic Church in China. In this latest campaign the treat actor was observed using updated toolset in order to evade detection. While in previous attacks the hackers targeted the diplomatic entities using a PlugX RAT variant called “RedDelta PlugX,” they are now also using a new version of malware written in Golang.
The researchers discovered two RAR archives which serve as PlugX malware droppers. While Proofpoint has not been able to identify the initial delivery vector for these archives, in the past the group was known to abuse Google Drive and Dropbox URLs within phishing emails to deliver PlugX malware.
In the observed campaign the malware was delivered via phishing emails that appear to have been sent from journalists from the Union of Catholic Asia News.
“The PlugX malware loader found in this case was identified as a Golang binary. Proofpoint has not previously observed this file type in use by TA416. Both identified RAR archives were found to drop the same encrypted PlugX malware file and Golang loader samples. The Golang loader has a compilation creation time that dates it to June 24, 2020. However, the command and control infrastructure discussed later in this posting suggests that the PlugX malware payload and Golang loader variant were used after August 24, 2020. Despite the file type of the PlugX loader changing, the functionality remains largely the same,” the researchers said.
The analysis of the command and control infrastructure revealed that the C&C IP was hosted by the Chinese Internet Service Provider Anchnet Asia Limited and was in use as a C&C at least between August 24 and September 28, 2020. Since the server was not in use during the dormancy period, the researchers believe that the treat actor was working to rebuild the infrastructure during this time.
“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns. These tool adjustments combined with recurrent command and control infrastructure revision suggests that TA416 will persist in their targeting of diplomatic and religious organizations,” the report said.