Chinese cybercriminal group Mustang Panda (also known as TA416 and RedDelta) has resumed cyber espionage operations behind the Vatican. The criminals suspended the malware campaign in July this year after the publication of the Recorded Future report, but have now returned with an updated arsenal of hacking tools.
The group is known for its attacks on organizations associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as organizations in Myanmar. The new malware campaign appears to be a continuation of this activity, experts at Proofpoint say.
Changes to the criminals’ arsenal include the use of a new version of the PlugX remote access trojan downloader written in the Golang language.
Attackers use phishing lures to target the relationship between the Vatican and the Chinese Communist Party, as well as fake emails allegedly sent from journalists at the Catholic News Union of Asia. As part of the attacks, the hackers used RAR archives as PlugX downloaders, but the delivery vector of these archives has not yet been determined. However, the group is known to use Google Drive and Dropbox URLs in phishing emails.
The RAR archives used in the campaign include a PlugX encrypted payload, a legitimate Adobe sideload executable, and a Golang binary for malware decryption and download.
According to Proofpoint, this is the first time attackers have used Golang binary in their attacks. Although it has a new file type, the PlugX loader has not changed its functionality – it runs PlugX and also makes it persistent on the system.
The IP address of the C&C server was hosted by the Chinese Internet service provider Anchnet Asia Limited and was in use from at least August 24 to September 28, 2020. Since the IP address is no longer in use, it is assumed that the attackers are working to change their infrastructure.