CYBER

THREAT
ANALYSIS By Insikt Group®
CTA-CN-2020-0728
CHINA

CHINESE STATE-SPONSORED
GROUP ‘REDDELTA’ TARGETS
THE VATICAN AND CATHOLIC
ORGANIZATIONS
CYBER THREAT ANALYSIS | CHINA
Insikt Group® researchers used proprietary Recorded Future Network Traffic
Analysis and RAT controller detections, along with common analytical techniques, to
identify and profile a cyberespionage campaign attributed to a suspected Chinese
state-sponsored threat activity group, which we are tracking as RedDelta.
Data sources include the Recorded Future® Platform, Farsight Security’s
DNSDB, SecurityTrails, VirusTotal, Shodan, BinaryEdge, and common OSINT
techniques.
This report will be of greatest interest to network defenders of private sector,
public sector, and non-governmental organizations with a presence in Asia, as well
as those interested in Chinese geopolitics.
Executive Summary
From early May 2020, The Vatican and the Catholic Diocese of
Hong Kong were among several Catholic Church-related organizations
that were targeted by RedDelta, a Chinese-state sponsored threat
activity group tracked by Insikt Group. This series of suspected network
intrusions also targeted the Hong Kong Study Mission to China and the
Pontifical Institute for Foreign Missions (PIME), Italy. These organizations
have not been publicly reported as targets of Chinese threat activity
groups prior to this campaign.
These network intrusions occured ahead of the anticipated
September 2020 renewal of the landmark 2018 China-Vatican provisional
agreement, a deal which reportedly resulted in the Chinese Communist
Party (CCP) gaining more control and oversight over the country’s
historically persecuted “underground” Catholic community. In addition
to the Holy See itself, another likely target of the campaign includes
the current head of the Hong Kong Study Mission to China, whose
predecessor was considered to have played a vital role in the 2018
agreement.
The suspected intrusion into the Vatican would offer RedDelta
insight into the negotiating position of the Holy See ahead of the deal’s
September 2020 renewal. The targeting of the Hong Kong Study Mission
and its Catholic Diocese could also provide a valuable intelligence source
for both monitoring the diocese’s relations with the Vatican and its
position on Hong Kong’s pro-democracy movement amidst widespread
protests and the recent sweeping Hong Kong national security law.
1 CTA-CN-2020-0728
While there is considerable overlap between the observed TTPs of
RedDelta and the threat activity group publicly referred to as Mustang
Panda (also known as BRONZE PRESIDENT and HoneyMyte), there are
a few notable distinctions which lead us to designate this activity as
RedDelta:
The version of PlugX used by RedDelta in this campaign uses
a different C2 traffic encryption method and has a different
configuration encryption mechanism than traditional PlugX.
The malware infection chain employed in this campaign has not been
publicly reported as used by Mustang Panda.
In addition to the targeting of entities related to the Catholic Church,
Insikt Group also identified RedDelta targeting law enforcement and
government entities in India and a government organization in Indonesia.
Figure 1: Selection of main differences between PlugX variants and the infection chain
used by RedDelta and Mustang Panda.
Key Judgments
The targeting of entities related to the Catholic church is likely
indicative of CCP objectives in consolidating control over the
“underground” Catholic church, “sinicizing religions” in China, and
diminishing the perceived influence of the Vatican within China’s
Catholic community.
Due to RedDelta’s targeting of organizations that heavily align to
Chinese strategic interests, use of shared tooling traditionally used
by China-based groups, and overlaps with a suspected Chinese
state-sponsored threat activity group, Insikt Group believes that
the group likely operates on behalf of the People’s Republic of
China (PRC) government.
The identified RedDelta intrusions feature infrastructure, tooling,
and victimology overlap with the threat activity group publicly
reported as Mustang Panda (also known as BRONZE PRESIDENT
and HoneyMyte). This includes the use of overlapping network
infrastructure and similar victimology previously attributed to this
group in public reporting, as well as using malware typically used
by Mustang Panda, such as PlugX, Poison Ivy, and Cobalt Strike.
Recorded Future® | www.recordedfuture.com
 CYBER THREAT ANALYSIS | CHINA

Background Threat Analysis

China and the Catholic Church Overview of Catholic Church Intrusions

For many years, Chinese state-sponsored groups have targeted religious Using Recorded Future RAT controller detections and network traffic analysis
minorities within the the PRC, particularly those within the so-called “Five techniques, Insikt Group identified multiple PlugX C2 servers communicating with
Poisons,” such as Tibetan, Falun Gong, and Uighur muslim communities. Insikt Vatican hosts from mid-May until at least July 21, 2020. Concurrently, we identified
Group has publicly reported on aspects of this activity, such as our findings on Poison Ivy and Cobalt Strike Beacon C2 infrastructure also communicating with
RedAlpha, the ext4 backdoor, and Scanbox watering hole campaigns targeting the Vatican hosts, a Vatican-themed phishing lure delivering PlugX, and the targeting
Central Tibetan Administration, other Tibetan entities, and the Turkistan Islamic of other entities associated with the Catholic Church.
Party. Most recently, a July 2020 U.S. indictment identified the targeting of emails
belonging to Chinese Christian religious figures — a Xi’an-based pastor, as well as
an underground church pastor in Chengdu, the latter of whom was later arrested
by the PRC government, by two contractors allegedly operating on behalf of the
Chinese Ministry of State Security (MSS). Regional branches of China’s Ministry
of Public Security (MPS) have also been heavily involved in digital surveillance of
ethnic and religious minorities within the PRC, most notably by the Xinjiang Public
Security Bureau (XPSB) in the case of Uighur muslims.
Historically, the PRC has had a highly turbulent relationship with the Vatican
and its governing body, the Holy See. In particular, the Holy See’s recognition
of bishops within China’s historically persecuted “underground” Catholic church
traditionally loyal to the Vatican and its relationship with Taiwan has maintained
an absence of official relations since the 1950s. The CCP perceived this behavior
as the Holy See interfering in religious matters within China. In September 2018,
the PRC and the Holy See reached a landmark two-year provisional agreement,
marking a significant step towards renewed diplomatic relations.
Under the provisional agreement, China would regain more control over
underground churches, and the Vatican in turn would gain increased influence
over the appointment of bishops within the state-backed “official” Catholic church.
The deal was met with a mixed reaction, with critics arguing that the deal was
a betrayal of the underground church and would lead to increased persecution
of its members. Many of the harshest criticisms came from clergy within Hong
Kong. A year after the agreement, numerous reports noted the Vatican’s silence in
response to the Hong Kong protests beginning in late 2019, in what critics called
an effort to avoid offending Beijing and jeopardizing the 2018 agreement.

Figure 3: Vatican lure document targeting the head of Hong Kong study mission to China.

The lure document shown above, which has been previously reported on in
relation to links to Hong Kong Catholic Church targeting, was used to deliver a
customized PlugX payload that communicated with the C2 domain systeminfor[.]
com. The document purported to be an official Vatican letter addressed to the
current head of the Hong Kong Study Mission to China. It is currently unclear
whether the actors created the document themselves, or whether it is a legitimate
document they were able to obtain and weaponize. Given that the letter was
directly addressed to this individual, it is likely that he was the target of a
spearphishing attempt. Additionally, as this sample was compiled after signs of
an intrusion within the Vatican network, it is also possible that the phishing lure
was sent through a compromised Vatican account. This hypothesis is supported by
the identification of communications between PlugX C2s and a Vatican mail server
Figure 2: Intelligence Card for RedDelta PlugX C2 Server 167.88.180[.]5.
in the days surrounding the sample’s compilation date and its first submission to
public malware repositories.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 2

CYBER THREAT ANALYSIS | CHINA
Figure 4: Union of Catholic Asian News article lure document (left), and Qum, the Vatican of Islam
lure document (right).
The head of the Hong Kong Study Mission is considered the Pope’s de facto
representative to China and a key link between Beijing and the Vatican. The
predecessor to this role played a key part in the finalization of the 2018 provisional
China-Vatican agreement, making his successor a valuable target for intelligence
gathering ahead of the deal’s expiry and likely renewal in September 2020.
Further entities associated with the Catholic Church were also targeted by
RedDelta in June and July 2020 using PlugX, including the mail servers of an
international missionary center based in Italy and the Catholic Diocese of Hong
Kong.
Insikt Group identified two additional phishing lures loading the same
customized PlugX variant, which both communicated with the same C2
infrastructure as the Vatican lure. The first sample included a lure document
spoofing a news bulletin from the Union of Catholic Asian News regarding the
impending introduction of the new Hong Kong national security law. The content
of the lure file, titled “About China’s plan for Hong Kong security law.doc,” was
taken from a legitimate Union of Catholic Asian News article. The other sample also
references the Vatican using a document titled “QUM, IL VATICANO DELL’ISLAM.
doc” for the decoy document. This particular decoy document translates as “Qum,
the Vatican of Islam,” referring to the Iranian city of Qum (Qom), an important
Shi’ite political and religious center. It is taken from the writings of Franco Ometto,
3 CTA-CN-2020-0728
a Italian Catholic academic living in Iran. Although the direct target of these two
lures are unclear, both relate to the Catholic church.
We believe that this targeting is indicative of both China’s objective in
consolidating increased control over the underground Catholic Church within
China, and diminishing the perceived influence of the Vatican on Chinese Catholics.
Similarly, a focus on Hong Kong Catholics amid pro-democracy protests and the
recent sweeping national security law is in line with Chinese strategic interests,
particularly given the Anti-Beijing stance of many of its members, including former
Hong Kong Bishop Cardinal Joseph Zen Ze-kiun.
Other Targeted Organizations
Insikt Group identified several additional suspected victims communicating
with RedDelta C2 infrastructure. While metadata alone does not confirm a
compromise, the high volume and repeated communications from hosts within
targeted organizations to these C2s are sufficient to indicate a suspected
intrusion. A full list of identified targeted organizations are summarized below:
Recorded Future® | www.recordedfuture.com
 CYBER THREAT ANALYSIS | CHINA

Country/Region of Date of Observed

Targeted Organization Sector RedDelta C2 IP(s)
Operation Activity

85.209.43[.]21,
103.85.24[.]136,
103.85.24[.]149,
103.85.24[.]190,
The Vatican/Holy See Religious The Vatican May 21–July 21, 2020 154.213.21[.]70,
154.213.21[.]73,
154.213.21[.]207,
167.88.180[.]5,
167.88.180[.]32,

103.85.24[.]136,
Catholic Diocese of
Religious Hong Kong May 12–July 21, 2020 167.88.180[.]5,
Hong Kong
167.88.180[.]32,

Pontifical Institute for

Foreign Missions (PIME), Religious Italy June 2–26 2020 85.209.43[.]21,
Milan

Sardar Vallabhbhai Patel February 16–June 25, 103.85.24[.]136,

Law Enforcement India
National Police Academy 2020 167.88.180[.]5,

Ministry of Home
Affairs (Kementerian
Government Indonesia May 21–July 21, 2020 85.209.43[.]21,
Dalam Negeri Republik
Indonesia)

Airports Authority of
Government India June 18–July 21, 2020 154.213.21[.]207,
India

85.209.43[.]21,
Other Unidentified Myanmar, Hong Kong, 103.85.24[.]136,
N/A May–July 2020
Victims Ethiopia, Australia 167.88.180[.]5,

Table 1: List of organizations targeted by RedDelta.

The organizations targeted by RedDelta in this campaign largely align

with historical activity publicly reported on the threat activity group Mustang
Panda, with the group previously linked to intrusion attempts targeting the Police
of the Sindh Province in Pakistan, law enforcement organizations in India, and
the targeting of entities within Myanmar, Hong Kong, and Ethiopia. The group is
also suspected to have previously targeted China Center (China Zentrum e.V),
a non-profit organization whose members includes Catholic aid organizations,
religious orders and dioceses in Germany, Austria, Switzerland, and Italy, and other
organizations associated with religious and minority groups.

Infrastructure Analysis
In this campaign, RedDelta favored three primary IP hosting providers, and
used multiple C2 servers within the same /24 CIDR ranges across intrusions.
Preferred hosting providers included 2EZ Network Inc (Canada), Hong Kong
Wen Jing Network Limited, and Hong Kong Ai Jia Su Network Limited. The group
consistently registered domains through GoDaddy, with WHOIS data providing
additional linkages between domains used by the threat activity group. Insikt
Group identified two primary clusters of RedDelta infrastructure used throughout
this campaign, referred to as the “PlugX cluster” and the “Poison Ivy and Cobalt
Strike cluster.” A Maltego chart is included below displaying these clusters.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 4

CYBER THREAT ANALYSIS | CHINA

Figure 5: Maltego chart of RedDelta infrastructure.

‘Ma Ge Bei Luo Xiang Gang Jiu Dian’ and the PlugX
Cluster

Vatican hosts and several other victim organizations were communicating

with the PlugX C2 167.88.180[.]5 from May until June 10, 2020. This IP hosted the
domain cabsecnow[.]com over this time period. Cabsecnow[.]com then resolved to
a new IP, 103.85.24[.]136, from June 10 onwards. The suspicious network activity
continued after the C2 IP was updated, increasing our confidence in the likelihood
of intrusion at the targeted organizations.
The cabsecnow[.]com domain shares a similar naming convention to a publicly
reported domain linked to Mustang Panda, cab-sec[.]com. WHOIS data revealed
that both domains were registered several seconds apart through GoDaddy on
Figure 6: Context panel from the Recorded Future Intelligence Card™ for ipsoftwarelabs[.]com.
September 17, 2019, with the same registrant organization listed: “Ma Ge Bei Luo
Xiang Gang Jiu Dian.” This registrant organization is associated with eight domains
in total, five of which have previously been publicly linked to Mustang Panda
Cobalt Strike/Poison Ivy Cluster
activity by Anomali and Dell SecureWorks. “Ma Ge Bei Luo Xiang Gang Jiu Dian”
Associated Domain C2 IP Address Malware Variant
translates from Mandarin to Marco Polo Hotel Hong Kong, a legitimate Hong Kong
hotel, although it is unclear why the actor chose this organization when registering web.miscrosaft[.]com 154.213.21[.]207 Poison Ivy
these domains. lib.jsquerys[.]net 154.213.21[.]70 Cobalt Strike

Domain Registration Timestamps lib.hostareas[.]com 154.213.21[.]73 Unknown

sbicabsec[.]com November 26, 2019 10:31:18Z Table 3: Cobalt Strike/Poison Ivy cluster domains.

systeminfor[.]com November 19, 2019 07:06:03Z

The second cluster featured Cobalt Strike and Poison Ivy
cabsecnow[.]com September 17, 2019 02:37:37Z
malware C2 infrastructure. A Poison Ivy sample (SHA256:9bac74c592a
cab-sec[.]com September 17, 2019 02:37:34Z
36ee249d6e0b086bfab395a37537ec87c2095f999c00b946ae81d) submitted to
forexdualsystem[.]com October 22, 2018 01:09:46Z*
a public malware repository from Italy in early June 2020, several days after the
lionforcesystems[.]com October 22, 2018 01:09:45Z* first evidence of activity between Vatican hosts and this C2, was configured to
apple-net[.]com October 22, 2018 01:09:46Z* communicate with a spoofed Microsoft domain, web.miscrosaft[.]com, hosted
wbemsystem[.]com October 17, 2018 06:51:02Z* on 154.213.21[.]207. Suspicious network traffic between this Poison Ivy C2 and
Table 2: Domains with “Ma Ge Bei Luo Xiang Gang Jiu Dian” registrant organization. several Vatican hosts, as well as an Indian aviation entity, were observed by Insikt
(*Domains now re-registered)
Group analysts.
Another PlugX C2, 85.209.43[.]21, was also identified communicating with Two other IP addresses within the same 24-bit CIDR range, 154.213.21[.]73
several hosts within the same targeted organizations (see Table 1). This IP has and 154.213.21[.]70, were also identified communicating with overlapping
hosted ipsoftwarelabs[.]com since November 2019, a domain previously identified Vatican infrastructure at this time. A Cobalt Strike sample (SHA256:
as a Mustang Panda PlugX C2. 7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935),
Finally, the C2 domain associated with the Vatican and Union of Catholic uploaded from an Italian IP address to a malware multiscanner repository as a
Asian News lures, systeminfor[.]com, was hosted on 167.88.180[.]32 since June zipped file the same day as the Poison Ivy sample, also used the 154.213.21[.]70
2020. This IP has also hosted lameers[.]com since February 2020, another PlugX IP for command and control.
C2 identified in activity targeting Hong Kong.

5 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

This cluster of activity does not overlap with the infrastructure identified File Name About China’s plan for Hong Kong security law.exe
in the PlugX cluster. The WHOIS registration data for the domains miscrosaft[.] SHA256 Hash 6c959cfb001fbb900958441dfd8b262fb33e052342
com and hostareas[.]com contains the registrant organization “sec.” While less 948bab338775d3e83ef7f7 Hash
distinct than the “Ma Ge Bei Luo Xiang Gang Jiu Dian’’ registrant identified earlier
in the PlugX cluster, there are still relatively few domains associated with this
organization, and fewer still that were registered through GoDaddy. Using these File Name wwlib.dll

characteristics, we identified that the domains svrhosts[.]com, strust[.]club, and SHA256 Hash f6e5a3a32fb3aaf3f2c56ee482998b09a6ced0a60
svchosts[.]com all match this criteria and are previously reported Mustang Panda c38088e7153f3ca247ab1cc Hash
Cobalt Strike C2 domains. In particular, svrhosts[.]com and svchosts[.]com were
both registered at the same time as hostareas[.]com on February 3, 2019 through
Stage 1: Wwlib.dll DLL Sideload and Hk.dat Download
GoDaddy.
and Execution
Malware Analysis “About China’s plan for Hong Kong security law.exe” is a legitimate Windows
While there is notable targeting and infrastructure overlap between this loader for Microsoft Word that is vulnerable to sideloading. When executed, it
RedDelta campaign and publicly reported Mustang Panda activity, there are some sideloads the malicious DLL, “wwlib.dll.”
deviations in tactics, techniques, and procedures (TTPs) used in both. For instance, Wwlib.dll initializes the loading stage by downloading, decoding, and executing
Mustang Panda has typically used Windows Shortcut (LNK) files containing an an XOR-encoded Windows executable file, hk.dat, from http://167.88.180[.]198/
embedded HTA (HTML Application) file with a VBScript or PowerShell script to load hk.dat. Next, wwlib.dll will extract a Word document, “About China’s plan for Hong
PlugX and Cobalt Strike Beacon payloads. However, in this campaign, RedDelta Kong security law.docx” from its resource section and open it to make it appear to
used ZIP files containing legitimate executables masquerading as lure documents, the user that a legitimate Microsoft Word document was opened.
a notable departure from Mustang Panda activity that has been publicly reported
previously. This legitimate executable is used to load a malicious DLL also
present within the ZIP file through DLL sideloading, before the target is shown
a decoy document. While Mustang Panda have used DLL sideloading previously,
the PlugX variant used in association with this campaign has key differences
from more traditional PlugX variants, particularly in the C2 protocol used and
the configuration encoding within the samples, leading us to refer to it as the
“RedDelta PlugX” variant below — however, this is not intended to suggest that
this variant is used exclusively by this group and is in reference to the first group
we have seen using this variant.

Figure 7: Execution diagram of the malware associated with RedDelta PlugX.

RedDelta PlugX: ‘Hong Kong Security Law’ Lure
The first sample, titled “About China’s plan for Hong Kong security
law.zip” (SHA256:86590f80b4e1608d0367a7943468304f7eb665c9195
c24996281b1a958bc1512), corresponds to the Union of Catholic Asian News lure
delivering the RedDelta PlugX variant. Although Insikt Group does not have full
visibility into this infection chain, the ZIP file is likely to have been delivered via a
spearphishing email. The ZIP contains two files:
Stage 2: Hk.exe/AAM Updates.exe DLL Sideloading to
Load PlugX Variant
After “hk.dat” is decoded and executed, it will create three files in the
C:\%APPDATA%/local/temp directory:
• Hk.exe (SHA256: 0459e62c5444896d5be404c559c834ba455fa5cae1689c
70fc8c61bc15468681) - A legitimate Adobe executable that is vulnerable
to DLL sideloading

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 6

CYBER THREAT ANALYSIS | CHINA

• Hex.dll (SHA256: bc6c2fda18f8ee36930b469f6500e28096eb6795e5fd17c Updates.exe DLL Sideloading to Load PlugX Variant“) and are nearly identical to
44273c67bc9fa6a6d) - The malicious DLL sideloaded by hk.exe that that of “qum.dat.” As with the hk.dat sample associated with the “Union of Catholic
decodes and loads adobeupdate.dat Asian News” lure, the main purpose of this stage of the malware is to perform the
• Adobeupdate.dat (SHA256: 01c1fd0e5b8b7bbed62bc8a6f7c9ceff1725d4ff DLL sideloading step in order to execute the PlugX variant.
6ee86fa813bf6e70b079812f) - The RedDelta PlugX variant loader Again, the final stage consists of three files: a non-malicious executable, a
malicious sideloaded DLL, and the encoded DAT file which are all used to sideload
Next, “hk.exe” is executed and creates copies of the files “adobeupdate.dat,” the final payload. This is consistent with a typical PlugX installation.
“hex.dll,” and itself renamed as “AAM Updates.exe” in the folder “C:\ProgramData\ Like the first-stage DAT files, the PlugX loaderDAT file is XOR-encoded and
AAM UpdatesIIw.” “AAM Updates.exe” is then executed, starting the installation the decode key precedes the encoded data in the file; however, they are not
process by sideloading the malicious “hex.dll.” “Hex.dll” will decode and execute RtlCompress/LZNT1 compressed as the initial stage files are. A Python script to
“adobeupdate.dat,” which ultimately leads to the execution of the RedDelta PlugX decode the PlugX loader, as well as the configuration block, is contained on our
variant in memory. This use of DLL sideloading, including the use of this specific GitHub repository.
Adobe executable, aligns with recent public reporting of Mustang Panda PlugX
use (1, 2).
RedDelta: An Updated PlugX Variant
The PlugX variant used in the RedDelta campaign is similar to the PlugX
RedDelta PlugX: ‘Qum, the Vatican of Islam’ Lure variants previously associated with Mustang Panda by Avira and Anomali. Both
The second PlugX sample uses the same loading method identified above. In make heavy use of stack strings as an obfuscation mechanism, as seen in Figure
this case, the same WINWORD.exe executable is used to load another malicious 8, making it harder for an analyst to use strings to determine the functionality or
wwlib.dll file. The sample then contacts http://103.85.24[.]190/qum.dat to retrieve purpose of the code.
the XOR-encoded Windows executable file, qum.dat. This sample uses the same
C2 as above, www.systeminfor[.]com.

RedDelta PlugX: Vatican Lure Targeting Hong Kong

Study Mission
The final PlugX sample featuring the Vatican Hong Kong Study Mission
lure also uses largely the same PlugX loading method. In this case, the ZIP file
contains a benign Adobe Reader executable, AcroRd32.exe, renamed “DOC-
2020-05-15T092742.441.exe,” which is used to load the malicious acrord32.dll
file through DLL sideloading. In this case the sample retrieves the file dis.dat from
http://167.88.180[.]198/dis.dat and uses the same C2 referenced in the previous
samples.

RedDelta PlugX: Installation Process

Insikt Group performed detailed analysis on the DAT files related to the “Union
of Catholic Asian News” and “Qum, the Vatican of Islam” lure. Analysis of these
samples showed two DAT files were downloaded from the URLs listed in the table
below:

File Name Download Location SHA256 Hash

2fb4a17ece461ade1a2b63bb8db1
hk.dat http://167.88.180[.]198/hk.dat 9947636c6ae39c4c674fb4b7d4f9
0275d20

476f80521bf6789d02f475f67e0f4
http://103.85.24[.]190/qum.
qum.dat ede830c4a700c3f7f64d99e8118
dat
35a39e

In each case, the file (“hk.dat” or “qum.dat“) is downloaded and executed after
initial execution of the phishing lure, as described above in “Stage 1: Wwlib.dll DLL
Sideload and Hk.dat Download and Execution.” Both files are RtlCompress/LZNT1
compressed, as well as XOR-encoded. The XOR key precedes the encoded data,
allowing the file to be more easily decoded during static analysis. A Python script
to decompress and decode the payload can be found on our GitHub repository.
After the DAT files are decompressed and decoded, they are executed. The
execution details for “hk.dat” have been detailed above (see: “Stage 2: Hk.exe/AAM

7 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

Figure 8: Comparison of Anomali/Avira PlugX variant stack string implementation and RedDelta stack
string implementation.

However, the configuration block for the RedDelta PlugX variant has one
key distinction: the Avira-reported Mustang Panda configuration block decoding
function looks for the string “XXXXXXXX” to determine whether the configuration
is encoded, while the RedDelta variant looks for the string “########.” Apart from
the different demarcator strings, both variants use the same rolling XOR encoding
with the key “123456789.” The configuration block decode routine can be seen
in Figure 9, below.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 8

CYBER THREAT ANALYSIS | CHINA

Figure 9: Comparison of configuration block in Anomali/Avira PlugX (showing the “XXXXXXXX”

demarcator) and the RedDelta configuration block (showing the “########” demarcator).

A Python implementation of this algorithm can be observed in Figure 10,

below.

Figure 11: Python implementation of traditional PlugX configuration block decoding mechanism by
Kyle Creyts.

Figure 10: Python implementation of RedDelta PlugX configuration block decoding mechanism. The configuration block encryption associated with the RedDelta variant is
considerably less sophisticated when compared to traditional PlugX samples, and
In conventional PlugX samples, the configuration block is encrypted with a while both make use of XOR-based ciphers, the simple algorithm used by RedDelta
more complex algorithm using multiple keys in combination with shift left and shift would be easier to brute force by an analyst.
right bitwise operations. For example, the Python code implementing this algorithm,
as seen in Figure 11, was created by Kyle Creyts based on Takahiro Haruyama’s
extensive research and analysis on PlugX.

9 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

Command and Control Protocol

The C2 protocol used for the RedDelta PlugX malware differs from the Mustang
Panda PlugX. While both variants use the HTTP POST method common to PlugX
including the number of “61456” in the POST header field which is a clear indicator
of a PlugX HTTP POST. However, the RedDelta variant does not include the URI
string “/update?wd=” more commonly associated with PlugX, as seen in Figure 12.

Figure 12: HTTP POST request from Anomali/Avira PlugX variant and RedDelta PlugX variant.

The RedDelta PlugX variant encrypts its C2 communications very differently

when compared to the Mustang Panda variant reported by Anomali and Avira.
Instead of using XOR encoding, RedDelta uses RC4 encryption where the first
10 bytes of the passcode are hardcoded and the last four bytes are randomly
generated and included as a key within the TCP packet so that the communication
can be decrypted. The hardcoded portion of the RC4 passphrase is “!n&U*O%Pb$.”
Figure 13 shows the function where the RC4 passphrase is defined as well as
where the last four bytes are appended to create the full key. A Python script to
decode the RedDelta C2 communication from a supplied PCAP can be found on
our GitHub repository.
Despite the different C2 encryption schemes, both RedDelta and Mustang
Panda variants’ C2 traffic decrypts to the familiar PlugX header format, as shown
in Figure 14.

Figure 14: PlugX header and data.

In conventional PlugX samples, the C2 uses the same algorithm as in the

configuration decode (see Figure 11), with part of the key being the first four bytes
of the TCP transmission. While the RedDelta PlugX variant also uses the first four
bytes of the TCP transmission as a part of the key, the use of RC4 for C2 encryption
demonstrates a departure from the usual PlugX C2 traffic encryption mechanism.

Figure 13: C2 encryption/decryption routine showing the first four hardcoded bytes of the
RC4 key used in RedDelta PlugX variant.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 10

CYBER THREAT ANALYSIS | CHINA

While Recorded Future has not done extensive code analysis to further
compare the samples, we have highlighted fundamental differences between the
RedDelta PlugX variants and conventional PlugX, notably in the configuration block
and C2 communication. Additionally, while RedDelta has implemented a modular
delivery system based on traditional PlugX tactics, it also provides the group with
the ability to change, enhance or remove functionality as needed.

File Name OneDrive.exe

SHA256 Hash 7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935

Cobalt Strike

The file, OneDrive.exe, is responsible for loading the Cobalt Strike payload.
When executed, OneDrive will reach out to http://154.213.21[.]27/DotNetLoader40.
exe, download the file DotNetLoader40.exe and invoke the “RunRemoteCode”
function contained within it.
DotNetLoader40.exe is a small .NET executable that essentially downloads and
then executes shellcode. The main function in DotNetLoader is “RunRemoteCode”
which takes a URL as an argument. The content is downloaded from the provided
URL, in this case, http://154.213.21[.]27/beacon.txt, and then sent to the function
“InjectShellCode.” The shellcode is then base64 decoded, decompressed, saved
to memory, and executed.
The shellcode loaded is Cobalt Strike Beacon, which is configured using the
Havex Malleable C2 profile. This Havex C2 code has been published on GitHub
and can be used by any entity that wishes to use it; and in this case, the attacker
is doing so in conjunction with Cobalt Strike. This can be seen both through the
URI used within the C2 URL (http://154.213.21[.]70/wp08/wp-includes/dtcla.php)
and the client and server headers and HTML content displayed below in Figure 15.

Figure 15: Network connections and server response to Cobalt Strike Beacon Havex Malleable C2
sample.

Poison Ivy
File Name MpSvc.dll

SHA256 Hash 9bac74c592a36ee249d6e0b086bfab395a37537ec87c2095f999c00b946ae81d

The identified Poison Ivy sample is loaded using the above MpSvc.dll file,
masquerading as the Microsoft Windows Defender file of the same name. Once
loaded, web.miscrosaft[.]com is used for command and control.

11 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com


Outlook
Our research uncovered a suspected China state-sponsored campaign
targeting multiple high-profile entities associated with the Catholic Church ahead
of the likely renewal of the provisional China-Vatican deal in September 2020. detect and mitigate activity associated with RedDelta activity:
The CCP’s warming diplomatic relations with the Holy See has been commonly
interpreted as a means to facilitate increased oversight and control over its
unofficial Catholic church. This also supports the CCP’s wider stated goal of
“sinicizing religions” in China. Furthermore, it demonstrates that China’s interest
in control and surveillance of religious minorities is not confined to those within
the “Five Poisons,” exemplified by the continued persecution and detainment of
underground church members and allegations of physical surveillance of official information security best practice guidelines:
Catholic and Protestant churches.
The U.S. Ambassador-at-Large for International Religious Freedom recently
expressed concern regarding the impact of the new national security law within
Hong Kong, stating it has the “potential to significantly undermine religious
freedom.” The targeting of the Catholic diocese of Hong Kong is likely a valuable
intelligence source for both monitoring the diocese’s position on Hong Kong’s pro-
democracy movement and its relations with the Vatican. This marks a possible
precursor to increased limits on religious freedom within the special administrative
region, particularly where it coincides with pro-democracy or anti-Beijing positions.
RedDelta is a highly active threat activity group targeting entities relevant
to Chinese strategic interests. Despite the group’s consistent use of well-known
tools such as PlugX and Cobalt Strike, infrastructure reuse, and operations security
failures, these intrusions indicate RedDelta is still being tasked to satisfy intelligence
requirements. In particular, this campaign demonstrates a clear objective to target
religious bodies, and therefore we feel this is particularly pertinent for religious
and non-governmental organizations (NGOs) to take note and invest in network
defenses to counter the threat posed by Chinese state-sponsored threat activity
groups like RedDelta. A lack of ability to invest in security and detection measures
for many NGOs and religious organizations greatly increases the likelihood of
success for well-resourced and persistent groups, even using well-documented
tools, TTPs, and infrastructure.
www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728
CYBER THREAT ANALYSIS | CHINA
Network Defense Recommendations
Recorded Future recommends that users conduct the following measures to
• Configure your intrusion detection systems (IDS), intrusion prevention
systems (IPS), or any network defense mechanisms in place to alert on —
and upon review, consider blocking illicit connection attempts from — the
external IP addresses and domains listed in the appendix.
Additionally, we advise organizations to follow the following general
• Keep all software and applications up to date; in particular, operating
systems, antivirus software, and core system utilities.
• Filter email correspondence and scrutinize attachments for malware.
• Make regular backups of your system and store the backups offline,
preferably offsite so that data cannot be accessed via the network.
• Have a well-thought-out incident response and communications plan.
• Adhere to strict compartmentalization of company-sensitive data. In
particular, look at which data anyone with access to an employee account
or device would have access to (for example, through device or account
takeover via phishing).
• Strongly consider instituting role-based access, limiting company-wide
data access, and restricting access to sensitive data.
• Employ host-based controls; one of the best defenses and warning signals
to thwart attacks is to conduct client-based host logging and intrusion
detection capabilities.
• Implement basic incident response and detection deployments and
controls like network IDS, netflow collection, host logging, and web proxy,
alongside human monitoring of detection sources.
• Be aware of partner or supply chain security standards. Being able to
monitor and enforce security standards for ecosystem partners is an
important part of any organization’s security posture.
12
CYBER THREAT ANALYSIS | CHINA

13 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

Recorded Future Threat Activity Group and Malware Taxonomy

Recorded Future’s research group, Insikt, tracks threat actors

and their activity, focusing on state actors from China, Iran, Russia,
and North Korea, as well as cyber criminals - individuals and groups
- from Russia, CIS states, China, Iran, and Brazil. We emphasize ADVERSARY
tracking activity groups and where possible, attributing them to
nation state government, organizations, or affiliate institutions.

Our coverage includes:

• Government organizations and intelligence agencies,
their associated laboratories, partners, industry
collaborators, proxy entities, and individual threat INFRASTRUCTURE CAPABILITY
actors.
• Recorded Future-identified, suspected nation state
activity groups, such as RedAlpha, RedBravo, Red Delta,
and BlueAlpha and many other industry established
groups.
• Cybercriminal individuals and groups established and
named by Recorded Future
VICTIM
• Newly emerging malware, as well as prolific,persistent
commodity malware

Insikt Group names a new threat activity group or campaign

when analysts have data corresponding to at least three points
on the Diamond Model of Intrusion Analysis with at least medium
confidence, derived from our Security Intelligence Graph. We can tie
this to a threat actor only when we can point to a handle, persona,
person, or organization responsible. We will write about the activity
as a campaign in the absence of this level of adversary data. We
use the most widely-utilized or recognized name for a particular
group when the public body of empirical evidence is clear the activity
corresponds to a known group.

Insikt Group utilizes a simple color and phonetic alphabet

naming convention for new nation state threat actor groups or
campaigns. The color corresponds to that nation’s flag colors,
currently represented below, with more color/nation pairings to
be added as we identify and attribute new threat actor groups
associated with new nations.

For newly identified cybercriminal groups, Insikt Group uses a

naming convention corresponding to the Greek alphabet. Where we
have identified a criminal entity connected to a particular country,
we will use the appropriate country color, and where that group may
be tied to a specific government organization, tie it to that entity
specifically.

Insikt Group uses mathematical terms when naming newly

identified malware.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 14

CYBER THREAT ANALYSIS | CHINA

Appendix A — Indicators of Compromise

Command and Control Infrastructure

Domain IP Address First Seen Last Seen Description

ipsoftwarelabs[.]com 85.209.43[.]21 2019-11-08 * PlugX C2

cabsecnow[.]com 167.88.180[.]32 2020-07-14 * PlugX C2

cabsecnow[.]com 103.85.24[.]136 2020-06-10 2020-07-14 PlugX C2

cabsecnow[.]com 167.88.180[.]5 2019-10-26 2020-06-10 PlugX C2

cabsecnow[.]com 167.88.177[.]224 2019-09-18 2019-10-19 PlugX C2

lameers[.]com 167.88.180[.]32 2020-02-14 * PlugX C2

lameers[.]com 167.88.180[.]132 2019-11-27 2020-02-13 PlugX C2

systeminfor[.]com 103.85.24[.]136 2020-07-15 * PlugX C2

systeminfor[.]com 167.88.180[.]32 2020-05-29 2020-07-15 PlugX C2

systeminfor[.]com 103.85.24[.]190 2020-05-17 2020-05-29 PlugX C2

N/A 103.85.24[.]149 2020-06-08 2020-06-23 PlugX C2

N/A 167.88.180[.]198 2020-06-15 2020-06-25 PlugX Payload Staging

Server

web.miscrosaft[.]com 154.213.21[.]207 2020-04-27 * PIVY C2

N/A 154.213.21[.]70 2020-06-04 * Cobalt Strike C2

lib.jsquerys[.]net 154.213.21[.]70 2020-06-04 * Associated with Cobalt

Strike C2

N/A 154.213.21[.]27 2020-06-04 * Cobalt Strike Staging

Server

lib.hostareas[.]com 154.213.21[.]73 2020-05-13 * Linked through

infrastructure overlap

*Denotes that domain or server is still live at time of publication.

15 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

PlugX

File Name About China’s plan for Hong Kong security law.zip
MD5 Hash 660d1132888b2a2ff83b695e65452f87
SHA1 Hash 1d3b34c473231f148eb3066351c92fb3703d26c6
SHA256 Hash 86590f80b4e1608d0367a7943468304f7eb665c9195c24996281b1a958bc1512

File Name N. 490.349 N. 491.189.zip

MD5 Hash 2a245c0245809f4a33b5aac894070519
SHA1 Hash c27f2ed5029418c7f786640fb929460b9f931671
SHA256 Hash fb7e8a99cf8cb30f829db0794042232acfe7324722cbea89ba8b77ce2dcf1caa

File Name QUM, IL VATICANO DELL’ISLAM.rar

MD5 Hash 2e69b5ed15156e5680334fa88be5d1bd
SHA1 Hash c435c75877b39406dbe06e357ef304710d567da9
SHA256 Hash 282eef984c20cc334f926725cc36ab610b00d05b5990c7f55c324791ab156d92

File Name wwlib.dll

MD5 Hash c6206b8eacabc1dc3578cec2b91c949a
SHA1 Hash 93e8445862950ef682c2d22a9de929b72547643a

SHA256 Hash 4cef5835072bb0290a05f9c5281d4a614733f480ba7f1904ae91325a10a15a04

File Name wwlib.dll

MD5 Hash 2ec79d0605a4756f4732aba16ef41b22
SHA1 Hash 304e1eb8ab50b5e28cbbdb280d653efae4052e1f

SHA256 Hash f6e5a3a32fb3aaf3f2c56ee482998b09a6ced0a60c38088e7153f3ca247ab1cc

File Name acrord32.dll

MD5 Hash 6060f7dc35c4d43728d5ca5286327c01
SHA1 Hash 35ff54838cb6db9a1829d110d2a6b47001648f17
SHA256 Hash 8a07c265a20279d4b60da2cc26f2bb041730c90c6d3eca64a8dd9f4a032d85d3

File Name hex.dll

MD5 Hash e57f8364372e3ba866389c2895b42628
SHA1 Hash fb29f04fb4ffb71f623481cffe221407e2256e0a
SHA256 Hash bc6c2fda18f8ee36930b469f6500e28096eb6795e5fd17c44273c67bc9fa6a6d

File Name adobeupdate.dat

MD5 Hash 2351F62176D4F3A6429D9C2FF7D444E2
SHA1 Hash 1BDBABE56B4659FCA2813A79E972A82A26EF12B1
SHA256 Hash 01C1FD0E5B8B7BBED62BC8A6F7C9CEFF1725D4FF6EE86FA813BF6E70B079812F

File Name hex.dll

MD5 Hash 9c44ec556d53301d86c13a884128b8de
SHA1 Hash 7c683d3c3590cbc61b5077bc035f4a36cae097d4
SHA256 Hash 7d85ebd460df8710d0f60278014654009be39945a820755e1fbd59030c14f4c7

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 16

CYBER THREAT ANALYSIS | CHINA

File Name adobeupdate.dat

MD5 Hash 977beb9a5a2bd24bf333397c33a0a67e
SHA1 Hash d7e55b655a2a90998dbab0f921115edc508e1bf9
SHA256 Hash 4c8405e1c6531bcb95e863d0165a589ea31f1e623c00bcfd02fbf4f434c2da79

Poison Ivy

File Name MpSvc.dll

MD5 Hash b613cc3396ae0e9e5461a910bcac8ca5
SHA1 Hash 28746fd20a4032ba5fd3a1a479edc88cd74c3fc9
SHA256 Hash 9bac74c592a36ee249d6e0b086bfab395a37537ec87c2095f999c00b946ae81d

Cobalt Strike

File Name OneDrive.exe

MD5 Hash 83763fe02f41c1b3ce099f277391732a
SHA1 Hash 3ed2d4e3682d678ea640aadbfc08311c6f2081e8
SHA256 Hash 7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935

17 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | CHINA

Appendix B — MITRE ATT&CK Mapping

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 18

CYBER THREAT ANALYSIS | CHINA

Appendix C — Python Decoding Script

import lznt1

def decompress(filename):
decompressed=””
with open(filename,”rb”) as f:
decompressed = lznt1.decompress(f.read())
return decompressed

compressed=True
filename=”http_dll.dat”

if compressed==False:
data=decompress(filename)
else:
with open(filename,”rb”) as dat:
data=dat.read()

key=[]

for d in data:
if d !=0x00:
key.append(d)
else:
break
klen=len(key)

output = []
loop_condition = 0
for c in data[klen+1:]:
current_key = key[loop_condition%klen]
output.append(c^current_key)
loop_condition += 1

with open(“http_dll.dat.bin”,”wb”) as decoded:

decoded.write(bytearray(output))

19 CTA-CN-2020-0728 Recorded Future® | www.recordedfuture.com

 About Recorded Future

Recorded Future arms security teams with the only complete security intelligence
solution powered by patented machine learning to lower risk. Our technology
automatically collects and analyzes information from an unrivaled breadth of sources
and provides invaluable context in real time and packaged for human analysis or
integration with security technologies.

www.recordedfuture.com | Recorded Future® CTA-CN-2020-0728 20