Written by Shannon Vavra
After months of public reporting on a suspected Chinese hacking campaign targeting entities linked with diplomacy between the the Vatican and Beijing, the hackers are still trying their luck.
Researchers at the security firm Recorded Future first called out hackers affiliated with a group called Mustang Panda in July for their efforts to conduct espionage against targets involved in negotiations about the operations of the Catholic Church in China, a historically fraught topic. After Recorded Future published its research on the hacking spree, attackers briefly paused their activity only to resume two weeks later with the same toolset.
Now the same group is back at it, with an effort to evade detection, according to Proofpoint research published Monday. This time, attackers updated their technique to deliver malware in order to avoid being noticed, according to Proofpoint researchers. While earlier this year the hackers targeted the diplomatic entities using a remote access trojan, a PlugX variant called “RedDelta PlugX,” they are now also using a new kind of malware written in Golang, a programming language, to go after their targets, according to Proofpoint.
The latest spate of targeting has included spoofed email headers meant to imitate journalists from the Union of Catholic Asia News and lures about the provisional agreement between the Vatican Holy See and the Chinese Communist Party.
While the recent changes have made tracking the Chinese-linked actors, also known as “RedDelta” or “TA416,” moderately more difficult, it has not left researchers entirely in the dark, the Proofpoint researchers said.
“As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection,” the researchers write in a blog. “While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution of malware components independent from the infection chain more challenging for researchers.”
The latest findings are evidence of how intent hackers are on collecting intelligence on entities involved in diplomacy between the Vatican and the Chinese Communist Party. The resurgence of the campaign came just days before the Vatican announced it had officially extended an agreement with Beijing about the appointment of Bishops in China, according to Proofpoint. And Although Beijing had previously announced an agreement on the status of the Catholic Church in China in September, information on Catholicism in China has been of keen interest to the Chinese government for decades, since the Vatican cut off diplomatic relations with China in 1951.
The hackers have also recently been targeting entities in Myanmar and entities conducting diplomacy in Africa, suggesting the hackers may have had tasking changes in recent months. The hackers have also been targeting unidentified entities in Hong Kong and Australia, in addition to government entities in India and Indonesia, in recent months as well, according to Recorded Future research.
Proofpoint does not have visibility into how the malicious files were first delivered, but the hacking group has historically relied on spearphishing emails with spammy Google Drive or Dropbox URLs capable of delivering PlugX malware.