RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns

RedDelta and PlugX Malware Espionage

Overview

RedDelta is identified as a Chinese state-sponsored group that has been actively engaged in cyber espionage operations, particularly targeting countries in Southeast Asia, Mongolia, and Taiwan.

Recent Activities

Between July 2023 and December 2024, RedDelta targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia using advanced spearphishing techniques to distribute its customized PlugX backdoor. Here are some key points from their recent activities:

• Infection Chain Evolution: RedDelta has continuously evolved its infection chain. Initially, they used Windows Shortcut (LNK) files delivered via spearphishing. In 2024, they transitioned to using Microsoft Management Console Snap-In Control (MSC) files. Most recently, they employed spearphishing links to prompt victims to load remotely hosted HTML files on Microsoft Azure2.
• Targeted Entities: The group likely compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. They also targeted the Vietnamese Ministry of Public Security, although there is no evidence of a successful compromise2.
• Geographical Focus: RedDelta’s targeting in 2023 and 2024 focused on Southeast Asia, Mongolia, and Taiwan, aligning with Chinese strategic priorities. This marks a return to their historical focus after targeting European organizations in 20222.
• Command and Control (C2) Traffic: RedDelta has consistently used the Cloudflare content distribution network (CDN) to proxy C2 traffic, making it harder to identify victims and evade detection2.

Tools and Techniques

• PlugX Backdoor: This is a remote access trojan used for stealing files, executing remote commands, installing backdoors, and deploying additional malicious software. The PlugX backdoor is highly customizable and has been a staple in RedDelta’s operations24.
• Lure Documents: The group used themed lure documents, such as those related to the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations including an Association of Southeast Asian Nations (ASEAN) meeting2.

Southeast Asia Cyber Attacks in 2024

Increased Activity

• RedDelta Campaigns: As mentioned, RedDelta has been actively targeting countries in Southeast Asia. Their campaigns involved sophisticated spearphishing and the use of customized malware to compromise government and diplomatic organizations2.
• General Trends: Taiwan reported a significant increase in cyberattacks, with the average number of daily cyberattacks targeting Taiwan's government network doubling to 2.4 million in 2024. China is believed to be behind most of these attacks1.

Other Threat Actors

• APT-C-26 (Lazarus): While not directly related to RedDelta, another state-sponsored group, APT-C-26 (Lazarus), associated with North Korea, has also been active in the region. They used malicious IPMsg installers to target and infect victims with backdoors1.

China State-Sponsored Hacking Trends

Strategic Focus

• Geopolitical Alignment: RedDelta’s activities are closely aligned with Chinese strategic priorities, focusing on governments and diplomatic organizations in regions seen as critical to Chinese interests. This includes Southeast Asia, Mongolia, and Taiwan2.
• Advanced Persistent Threats (APTs): Chinese state-sponsored groups like RedDelta, APT27, and APT31 continue to employ advanced persistent threats, including the use of backdoors like PlugX and other malicious modules to steal files, monitor screen activities, and record keystrokes24.

Recent Incidents

• US Treasury Hack: A recent hack of the US Treasury Department, attributed to the Chinese hacking group Silk Typhoon, involved the theft of a digital key from a third-party service provider to access unclassified documents. This incident highlights the ongoing threat from Chinese state-sponsored hacking groups3.

Mitigation and Response

• Executive Order: In response to such threats, the Biden administration is preparing an executive order to enhance U.S. cybersecurity. The order includes measures such as strong identity authentication and encryption, better management of cryptographic keys, and stricter cybersecurity hygiene for software providers3.

In summary, RedDelta's activities represent a significant component of China's state-sponsored cyber espionage efforts, particularly in Southeast Asia and other regions of strategic interest. The group's evolving tactics and use of advanced malware underscore the need for robust cybersecurity measures to mitigate these threats.