RedDelta

RedDelta is the designation given by the infosec community to a highly active APT (Advanced Persistent Threat) group. There are strong links suggesting that RedDelta is a Chinese-sponsored threat actor. The targets of the group almost always align with the interests of the Chinese government. One of the latest attack campaigns attributed to the group was launched against several Catholic Church-related organizations. The victims included the Vatican and the Catholic Diocese of Hong Kong. The targets also included the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. Both organizations have not been classified as entities of interest for Chinese-backed hacker groups before this operation. 

Operations carried out by Chinese-aligned APT groups display a lot of overlaps when it comes to TTPs (Tactic, Techniques, and Procedures) when it comes to differentiating between RedDelta and a group known as Mustang Panda (also tracked as BRONZE PRESIDENT and HoneyMyte), especially. However, researchers have found enough distinguishing characteristics to attribute these series of attacks with high confidence to RedDelta. The unique aspects include the use of a PlugX variant with a different configuration encryption method, the infection chain has not been attributed to other groups, and the list of targets includes law enforcement and government entities from India as well as an Indonesian government organization. 

Attack Chain

The customized PlugX payload is delivered to the victim's machine through a bait email carrying a weaponized document as an attachment. In one of the attacks, the lure document was addressed to the current head of the Hong Kong Study Mission to China specifically. The highly-targeted nature suggests that RedDelta might have intercepted an official Vatican document that was weaponized subsequently. It also is highly likely that the hackers used a compromised Vactica account to send the lure message. The same PlugX variant also was found inside two other phishing lures. This time the bait documents were an imitation of real a news bulleting from the Union of Catholic Asian News named 'About China’s plan for Hong Kong security law.doc' and another Vatican-related file named 'QUM, IL VATICANO DELL’ISLAM.doc'

Once deployed, the PlugX payload establishes a communication channel with the Command-and-Control (C2, C&C) infrastructure, which was the same for all observed attacks. The C2 domain was located at the systeminfor[.]com address. The last-stage malware payloads delivered to the compromised systems are the remote access Trojans Poison Ivy and Cobalt Strike. The goal of RedDelta was to gain access to sensitive internal communications, as well as monitor the relations between chosen targets.