RedDelta Malware Update – Political Intrigue between China and the Vatican

In my original RedDelta analysis (which I did for the final project of my Malware Analysis class), I took a new malware sample from The Zoo that I really had no information about – just five unnamed files, and did an analysis of two files that I found within – the malware loading program and a related DLL. There was no information online regarding where the malware had come from – the sample had just been uploaded five days earlier, and there weren’t any other analyses of it online. That’s why I chose it though – I wanted to go into it blind for the challenge.

There was a file that I didn’t get to though, because it was a 64-bit executable and the tools I was using for class weren’t set up for that. Recently I started putting together a new VM with updated tools to take a look at that file, and when I searched for it online again I found that there is *much* more information available about it now in the form of highly detailed reports.

It turns out that RedDelta is a hacking group widely believed to be sponsored by the Chinese government, and possibly related to another group called Mustang Panda. The malware was found on machines in the Vatican, which would explain why the names of both of the lure documents relate to the Catholic church. It has also been seen in attacks on the Catholic Diocese of Hong Kong as well as police and government organizations in Indonesia and India.

There are high-level talks going on between the Vatican and China right now, that have been planned for a couple years – there was an agreement in 2018 and it was expected that it would need to be renewed. The talks relate to how much control the Vatican has over the Catholic organizations in China vs. how much control the Communist Party has – for instance, who gets to appoint bishops. It appears that RedDelta was working to infiltrate computer systems in the Vatican in order to gather intelligence about Vatican opinions and strategy going into these talks, presumably so that China could have the upper hand in negotiations.

So, it has been really cool and interesting to basically grab some unnamed files from an archive and end up working on malware that is actively being used for political gain in world events.

As I mentioned, I’ve been working on spinning up a new Windows 10 VM and researching the current tools for 64-bit malware analysis. My goal is to do a full analysis of the 64-bit executable I found. Originally I had thought that was a 64-bit version of the loader, but now I believe it’s actually the payload – the original hk.dat file that was downloaded and installed on the victim’s machine when the user opened what they thought was a Word document.

From my initial forays it is *much*, much more complicated than the loaders, containing Visual Studio libraries and encryption routines – I presume for command-and-control communications. The report above says that it is a fairly well-known malware variant called PlugX.

My goal is still to do a Part 2 and detail my analysis of File #5 (presumably the PlugX payload). I’m currently debating how much I want to continue doing this blind, vs. researching what is known about PlugX and using that to help direct so I don’t waste time analyzing Microsoft libraries. There are *hundreds* of unnamed functions to work through. I also picked up The Ghidra Book and am learning that tool as I go.

Classes just started up again so I’m sure that will keep me busy, but I’m excited to continue working on this and will post Part #2 when I can.


Author: Charley Lucas

Silicon Design Verification | OVM Testbench Development | Hardware Security | Perpetual Student

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s