A Chinese-sponsored threat group known as Red Delta has increased its espionage campaigns against European entities tied with migrant and refugee services. The Red Delta, also known as TA416, exploited web flaws to profile and select its targets.
According to researchers, the threat actors exclusively target the refugee logistics and policies that coincide with the current geopolitical conflict between Ukraine and Russia.
Moreover, Red Delta’s current espionage campaign utilises web flaws to identify their victims and distribute various PlugX malware payloads via malicious URLs.
The researchers added that the group has updated its PlugX strain and modified its encoding method by upgrading configuration capabilities. The updated version of the PlugX malware analyses the payloads and actual samples acquired from the URLs by the first stage malware dropper.
The updated Red Delta PlugX variant includes three additional fields not present in its past versions.
The first modification to the new PlugX is two hardcoded dates for the latest write time utilised by the payload to filter over files in a particular directory.
The second upgrade is minimum and maximum file size to filter over files within the same directory.
The last modification is the format string that defaults to the public, change the folder’s characteristics, and obfuscates the compromised user.
The researchers assumed that the Red Delta threat group caused the recent espionage attacks that delivered the PlugX since the attack was very identical to the TA416 campaign two years ago.
Moreover, the researchers noticed a repetition of web bug patterns and victim selection in the past three years. Lastly, the espionage campaign had utilised an identical file naming structure between ZIP and PDF decoy files. The campaign also showed similarities with the Trident Loader TTPs used by the threat actor to operate the PlugX malware.
The espionage campaign against Europe portrays the geopolitical interest of the Red Delta group. Furthermore, the Chinese-sponsored threat group has been making fast-paced updates to their PlugX toolkit. Therefore, different organisations should stay alert even if they are not part of any European targets.