### CYBER

 THREAT

 ANALYSIS

**CHINA** By Insikt Group®

December 23, 2022

# RedDelta Targets European Government Organizations and Continues to Iterate Custom


-----

_This report details recent activity conducted by the likely Chinese state-_
_sponsored threat activity group RedDelta. The activity was identified through a_
_combination of large-scale automated network traffic analytics and expert analysis._
_This report will be of most interest to individuals and organizations with strategic_
_and operational intelligence requirements relating to Chinese cyber threat activity,_
_as well as network defenders in government organizations within Southeast Asia_
_and Europe._

#### Executive Summary

Recorded Future’s Insikt Group continues to track activity we
attribute to the likely Chinese state-sponsored threat activity
group RedDelta targeting organizations within Europe and
Southeast Asia using a customized variant of the PlugX backdoor.
Since at least 2019, RedDelta has been consistently active within
Southeast Asia, particularly in Myanmar and Vietnam, but has also
routinely adapted its targeting in response to global geopolitical
events. This is historically evident through the group’s targeting
of the Vatican and other Catholic organizations in the lead-up to
2021 talks between Chinese Communist Party (CCP) and Vatican
[officials [1,2], as well as throughout 2022 through the group’s](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf)
shift towards increased targeting of European government and
[diplomatic entities following Russia’s invasion of Ukraine.](https://www.proofpoint.com/uk/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european)

During the 3-month period from September through
November 2022, RedDelta has regularly used an infection
chain employing malicious shortcut (LNK) files, which trigger
a dynamic-link library (DLL) search-order-hijacking execution
chain to load consistently updated PlugX versions. Throughout
this period, the group repeatedly employed decoy documents
specific to government and migration policy within Europe.
Of note, we identified a European government department
focused on trade communicating with RedDelta command-andcontrol (C2) infrastructure in early August 2022. This activity
commenced on the same day that a RedDelta PlugX sample
using this C2 infrastructure and featuring an EU trade-themed
decoy document surfaced on public malware repositories.
We also identified additional probable victim entities within
Myanmar and Vietnam regularly communicating with RedDelta
C2 infrastructure.

RedDelta closely overlaps with public industry reporting
under the aliases BRONZE PRESIDENT, Mustang Panda, TA416,
Red Lich, and HoneyMyte.


#### Key Judgments

  - RedDelta has consistently conducted long-term cyber
espionage campaigns in line with the strategic interests
of the Chinese government, including historical targeting
of government and public sector organizations across
Asia and Europe as well as overseas organizations
associated with minority groups within mainland China
such as Tibetan and Catholic Church-related entities.

  - Despite the volume of public reporting on the group’s

activity, RedDelta employs a high operational tempo
relative to other state-sponsored actors. The group also
maintains a rapid pace of development for its flagship
backdoor (remote access trojan [RAT]), a variant of the
long-running backdoor PlugX that is heavily customized
for anti-analysis for detection evasion.

  - In November 2022, RedDelta actors shifted from using

archive files to using malicious optical disc image (ISO)
files containing a simplified shortcut (LNK) file for
delivery of an updated PlugX payload.


-----

**_[Figure 1: High-level RedDelta TTPs and Recorded Future data-sourcing graphic; historically reported TTPs are shown in gray [1,2] (Source: Recorded Future)](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf)_**


-----

#### Background

**_Figure 2: Timeline of RedDelta activity from June 2020 to November 2022_**
_(Source: Recorded Future)_

In mid-2020, we [published research identifying RedDelta](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf)
intrusions targeting several Catholic Church-related
organizations, including the Vatican and the Catholic Diocese of
Hong Kong. This activity took place in the lead-up to negotiations
between Chinese Communist Party (CCP) and Vatican officials.
[These findings were also later corroborated by NortonLifeLock.](https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf)
In addition to the targeting of entities related to the Catholic
Church, we also identified RedDelta network intrusions affecting
law enforcement and government entities in India, a government
organization in Indonesia, and other targets across Myanmar,
Hong Kong, and Australia. In this activity the group used multiple
malware variants including a customized PlugX variant, Cobalt
Strike, and Poison Ivy.

Shortly after the publication disclosing activity targeting
the Vatican, we [identified renewed RedDelta activity again](https://www.recordedfuture.com/reddelta-cyber-threat-operations)
targeting Catholic Church-related organizations as well as an
entity associated with the Tibetan community-in-exile. Other
high-profile intrusions [conducted by RedDelta in 2020 include](https://www.reuters.com/article/us-ethiopia-african-union-cyber-exclusiv-idINKBN28Q1DB)
the compromise of the African Union.


Throughout 2021, we observed continued RedDelta activity
targeting government organizations in Indonesia, Myanmar,
and Vietnam. In late 2021 and early 2022, RedDelta targeting
shifted back toward Europe and the group [began using decoy](https://www.proofpoint.com/uk/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european)
documents themed around escalating tensions between Russia
and Ukraine, and eventually around the war itself, as disclosed
within customer-facing Insikt Group research and public reporting
[by Proofpoint, Secureworks, and ESET.](https://www.proofpoint.com/uk/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european)

#### Threat/Technical Analysis

##### Infrastructure Analysis

In March 2022, we and other researchers reported on
renewed RedDelta activity targeting European government and
diplomatic organizations, in many cases using lure documents
[centered on the war in Ukraine [1,](https://www.proofpoint.com/uk/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european) [2,](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/) [3]. Since this reporting,](https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx)
we have continued to observe similar activity targeting Europe,
[some of which has been covered through Secureworks reporting.](https://www.secureworks.com/blog/bronze-president-targets-government-officials)


-----

[In contrast to historical activity, RedDelta has largely moved](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf)
away from use of domain names for C2 infrastructure toward
hardcoded actor-controlled virtual private server (VPS) IP
addresses. Since March 2022, the group has used a wide variety
of autonomous systems (ASs), with a particular preference for
the following autonomous system numbers (ASNs):

 - GreenFloid — AS204957

 - Aptum Technologies — AS13768

  - Input Output Flood LLC — AS53755

 - QuadraNet — AS8100

 - XNNET — AS6134

In many cases, the actor’s operational infrastructure on
the above ASNs was likely purchased through a China-based
VPS reseller called Yun-LLC (vm[.]sg). We have also observed
consistent use of specific server responses and multiple reused
TLS certificates since March 2022, some of which was referenced
[in recent Blackberry reporting.](https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets)

##### Victimology

We observed likely victims in Vietnam and Myanmar
communicating with RedDelta C2 infrastructure throughout
2022, which aligns with the typical historical targeting of the
group. We also identified multiple IP addresses associated with
a European government department focused on trade regularly
communicating with the RedDelta C2 IP address 64.34.205[.]178
on August 9, 2022. On this date, we also observed a RedDelta
PlugX phishing campaign featuring an EU trade-themed decoy
document using this C2, which surfaced on public malware
repositories. We have not observed any further evidence of
compromise for this organization since this date.


##### Malware Analysis

 Initial Infection Vector — August to October 2022

The infection vector used from August to October 2022
remained largely unchanged from recent [Secureworks and](https://www.secureworks.com/blog/bronze-president-targets-government-officials)
[BlackBerry reporting covering RedDelta activity (tracked as](https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims)
BRONZE PRESIDENT by Secureworks researchers). In each
case, an archive file is delivered to the targeted user, likely via
spearphishing, which contains a Windows shortcut (LNK) file
disguised using a double extension (such as .doc.lnk) and a
Microsoft Word icon. The archive also features a series of nested
hidden folders that contain 3 files used within a DLL searchorder-hijacking triad: a legitimate binary, a malicious DLL loader,
and an encrypted PlugX payload that is ultimately loaded into
memory. Upon execution of the shortcut file, this executes the
legitimate binary vulnerable to DLL search order hijacking and
also displays a decoy document to the victim.

The observed RedDelta LNK files during this timeframe were
created on a system with the hostname `desktop-n2v1smh,`
which was previously [noted in earlier LNK files used by the](https://www.secureworks.com/blog/bronze-president-targets-government-officials)
group. In each case, the LNK file contains a similar argument
to the example shown in Figure 5 in order to run the legitimate
executable and start the DLL search-order-hijacking chain:
```
  “_\___\_\___\______\_____\__\test11.

```
bpu||(forfiles /^P %USERPROFILE%\ /S /^M
“Political Guidance for the new EU approach
towards Russia.rar” /C “cmd /c (c:\progra~1\7Zip\7z x -y -aoa @path||c:\progra~2\7-Zip\7z x
-y -aoa @path||c:\progra~1\winrar\winrar x -id
-o+ @path||c:\progra~2\winrar\winrar x -id -o+ @
path)&&_\___\_\___\______\_____\__\test11.bpu”)”

**_Figure 5: Example of command run by LNK file to trigger DLL search-order-hijacking chain_**
_(Source: Recorded Future)_


**_Figure 3: LNK file masquerading as a .doc file due to use of a double extension and Microsoft Word icon (Source: Recorded Future)_**

**_Figure 4: Nested hidden folder containing a legitimate executable (ClassicExplorerSettings.exe renamed as test.bpu), malicious DLL loader (ClassicExplorer32.dll), and encrypted_**
_payload (ClassicExplorerLog.dat) (Source: Recorded Future)_


-----

##### Initial Infection Vector - November 2022

**_Figure 6: Contents of ISO file “Unilateral statement by the Commission on migration.iso” used in_**
_November 2022 (Source: Recorded Future)_

The LNK file in this case (Figure 8) was simplified compared

In November 2022, we identified new RedDelta activity

to the one described in Figure 5 and no longer used previously

using a slightly altered infection chain. In this case an ISO file

reported user metadata, likely in reaction to public reporting

titled “Unilateral statement by the Commission on migration.

highlighting this aspect.

_iso” was served through the actor-controlled domain microsite-_
manager[.]com, which was hosted on IP address 5.34.182[.]68

“C:\Windows\System32\cmd.exe /q /c “System

at the time of analysis. This IP address also concurrently hosted

Volume Information\ \ \ \test.chs”

a probable additional RedDelta domain, mashupdatabase[.]com,

**_Figure 8: Simplified LNK argument observed in November 2022 RedDelta activity (Source: Recorded_**

which was registered through GoDaddy at the same time as _Future)_
microsite-manager[.]com.

Similar to previously described activity, the ISO contained
an LNK file and nested hidden folders titled System Volume
Information containing the DLL search-order-hijacking triad,
as shown in Figure 6. Notably, in this case the System Volume
Information folder also contains a desktop.ini file featuring
a Class ID (CLSID) Key shortcut {F6B6E965-E9B2-444B-928610C9152EDBC5}, which corresponds to the File History utility in
Microsoft Windows. Interestingly, this folder is interpreted by File
Explorer as a legitimate shortcut to File History, and redirects
the user to this utility rather than displaying the true malicious
contents of the folder that are executed using the LNK file.

**_Figure 7: User is directed to File History navigator upon clicking System Volume Information folder,_**
_rather than revealing a series of nested folders containing the PlugX DLL search-order-hijacking_
_triad (Source: Recorded Future)_


-----

**_Figure 9: Nested_** _hidden folders of “System Volume Information” containing PlugX DLL search-order-_
_hijacking triad (Source: Recorded Future)_

##### Use of European Government Trade- and Migration- Themed Decoy Documents

In all identified RedDelta samples observed from August to
November 2022, the user was shown a decoy document specific
to government and migration policy within Europe, including: an
Austrian immigration program (Red-White-Red Card); a European
Union (EU) trade and migration policy; Serbia’s EU accession
application; and political guidance on the EU’s approach toward
Russia. These samples ultimately load the group’s customized
variant of the PlugX backdoor. Notably, in at least one case the
group appeared to have edited a publicly available document
(the European Commission [Serbia Report 2022) to make it](https://neighbourhood-enlargement.ec.europa.eu/serbia-report-2022_en)
appear more sensitive. This included the inclusion of “SENSITIVE”
and “need to know” distribution markings with the rest of the
document remaining unchanged, despite the finalized version
being publicly available at the time of the observed activity. We
previously [observed RedDelta using a similar tactic to mark a](https://www.recordedfuture.com/reddelta-cyber-threat-operations)
publicly available United Nations General Assembly report as an
“Advanced Unedited Version”.

In each case, all the necessary components for loading the
final payload are included within the initial container file. Earlier
in 2022, the group [regularly](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/) [employed an interim stage where](https://www.proofpoint.com/uk/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european)
a loader fetched all of these components from a remote actorcontrolled server. This loader step has been replaced by the
aforementioned use of LNK files and, more recently, by the use
of archive files with an ISO file.


-----

8838

**_Table 1: RedDelta samples observed from August to November 2022, all featuring Europe-themed filename lures and decoy documents. The use of the string “test” was observed frequently within_**
_RedDelta filenames, PlugX config campaign IDs, and TLS certificates over this period. (Source: Recorded Future)_

|Shortcut File|Legitimate Binary Used for DLL Search Order Hijacking|Malicious Loader DLL|Encrypted PlugX Payload|
|---|---|---|---|
|Written comments of Hungary.doc.lnk|LMIGuardianSvc.exe (renamed test.msd)|LMIGuardianDll.dll|LMIGuardianDll.dat|
|SHA256: 720263e2330c07c1def2e63ca722 272c1cc3b30ebea6bd7b96d9e482 6803cc7|SHA256: 26c855264896db95ed46e502f2d3 18e5f2ad25b59bdc47bd7ffe92646 102ae0d|SHA256: e5e396be385d38f69566aa141de30 30ffe4eaad8afb244a2c22df4b6db42 5478|SHA256: ef2b6b411b79f751d73e824302 ca00ff9f0d759a6eea02d2cfb1139 0d0e9379b|
|Unilateral statement by the Commission on migration.docx.lnk|LMIGuardianSvc.exe (renamed test.chs)|LMIGuardianDll.dll|LMIGuardianDll.dat|
|SHA256: c50f7305bd1d085e642588e16fb130bc ed4a69eae0b0fc48c1c93e4935dc70 d4|SHA256: 26c855264896db95ed46e502f2d318 e5f2ad25b59bdc47bd7ffe92646102ae 0d|SHA256: b35a9716e180b6a4cc92ccdc5d5825 c62a41b4f13c0e38b757b2f47b202fc 012|SHA256: d6e0903b9d9464c90c2007d84 e8cf2387359c693a04c349cf0b5 51e65f860181|
|Godišnji izveštaj EK o Srbiji.pdf.lnk SHA256: 0055e6385633ca35ab3ac70f56d18d9 0b8d5a5894a5d8e738e567c3f7fb337 be|LMIGuardianSvc.exe (renamed svc.tmt)|LMIGuardianDll.dll SHA256: 397cc7543c3b485d9d6ad4d9bc1b25 ad098b6484b6a1c4edbd71558103ab0 eb3|LMIGuardianDat.dat SHA256: 1765476a354244c6acba50b8f948d 2afe23963ecc3a4cbf1f890a738556 2d919|
||SHA256: 26c855264896db95ed46e502f2d3 18e5f2ad25b59bdc47bd7ffe92646 102ae0d|||
|General background to the Red-White-Red - Card.doc.lnk|AcroDist.exe (renamed test.tmt)|AcroDistDLL.dll|AcroScan.dat|
|SHA256: becdb31a669676dac3e79 7fb6db482f9fd644853e73fc28eb00 31bd58487d081|SHA256: 01b68a0c13032bb59f262e d94d2daf85e50fad7a1502a3097029b 66b7eb4f903|SHA256: adb61bb5e3941e3824f57e9 8b2739a00ce4d6e3aa4af2257f99c9 698f584753a|SHA256: bfa84b7b4802a480fab49 8a16a1d177c46495df8f4f950f5d7 3e9cb220988e2a|
|Political Guidance for the new EU approach towards Russia.doc.lnk|ClassicExplorerSettings.exe (renamed test.bpu)|ClassicExplorer32.dll|ClassicExplorerLog.dat|
|SHA256: 3e33897fcbf2f830b665489017a84 3146955ef67061bd58f004c418b6b 97e9ea|SHA256: b44cc792ae7f58e9a12a121c14a06 7ee1dd380df093339b4bf2b02df5937 b2af|SHA256: 8e27900949a087349488d82e74349 37bd253d31749041bb0233000a733 9fc3e1|SHA256: 9c1ea202237726984b754d17528cf ab0212ff9587bbffaf01c8535277b01 c24a|
|State of play in EU trade policy.docx.lnk|AcroDist.exe|AcroDistDLL.dll|AcroScan.dat|
|SHA256: 131209d5e752300d4af86375abd81d24 4467b50238e2ffecf62239efaec6e361|SHA256: 01b68a0c13032bb59f262ed94d2daf85 e50fad7a1502a3097029b66b7eb4f903|SHA256: 7afbd413c8df77b0c1e0de046c6a726b 5afce28efc06f7986c1d8c107cfa89b1|SHA256: 458e19df6dc3402b2b12f473c9aec1 38d64a289c1539a92dd70cfae281c5 8838|


-----

-----

##### PlugX Loading Mechanism and Payload

After being executed through the legitimate binary, the DLL
loader is responsible for decrypting the PlugX payload (the .dat
files listed in **Table 1) prior to passing execution off to them.**
[While RedDelta has consistently updated the decryption routine](https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european)
used, we have observed this routine changing more frequently
throughout 2022. The developers of the PlugX variant used in
RedDelta activity had previously used a prepended XOR key,
but have since switched to various iterations of XOR decryption
schemes that don’t rely on the XOR key being prepended to the
file.

|Sample File Name(s)|PlugX Payload Decoding Technique|Config Decryption Key|
|---|---|---|
|State of play in EU trade policy.zip (August 2022)|The formula for this sample is ((~key & 0x55 | 0x00 | key & 0xAA)& 0xff) ^ (~byte & 0x55 | byte & 0xAA). However, this can be simplified down to byte ^ key. For either formula, the key is incremented by the same hardcoded value between each XOR operation. The decryption begins a few bytes from the start of the file.|ax5Mg76v9|
|General background to the Red-White-Red - Card.zip (October 2022) Political Guidance for the new EU approach towards Russia.rar (October 2022)|The formula for these samples is byte ^ ((key - (0x00 - filesize)) & 0xff). In these samples, the “key” value in the formula above changes each iteration of the loop. The value in the subsequent iteration is the final XOR value calculated in the one before. The first iteration uses a hard-coded “seed” value for the “key” value.|ax5Mg76v9|


**_Figure 10: Europe-themed decoy documents used in RedDelta activity from August to November_**
_2022 (Source: Recorded Future)_


-----

|Sample File Name(s)|PlugX Payload Decoding Technique|Config Decryption Key|
|---|---|---|
|Unilateral statement by the Commission on migration.iso (November 2022) SWC 202022.iso (November 2022) Written comments of Hungary.rar (December 2022)|The formula for these is byte ^ ((key + (filesize>>1)) & 0xff). In these samples, the “key” value in the formula above changes each iteration of the loop. The value in the subsequent iteration is the final XOR value calculated in the one before. The first iteration uses a hard-coded “seed” value for the “key” value.|jOh752oCI|


**_Table 2: Evolution in payload-encoding mechanism observed in RedDelta PlugX samples from_**
_August to November 2022 (Source: Recorded Future)_

The PlugX samples continue to use an encrypted configuration
that contains values such as C2, mutex, file path, decoy document
file name, and a custom marker (extracted configurations are
included in **Appendix C). The mutex and file path continue to**
follow a pattern of being named after the legitimate executable
filename followed by 3 (file path) or 6 (mutex) random letters.
[This has been a consistent attribute of RedDelta PlugX use for](https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong)
several years.

All of the PlugX files contain a decoy document in the overlay
section of the Windows executable that is subsequently shown
to the user, as displayed in Figure 10. The HTTP POST headers
observed in the latest PlugX samples also remain identical to
[versions described in ESET and Proofpoint reporting from March](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/)
2022, with the exception of the hard-coded User-Agent value.

**_Figure 11: Request headers and server response observed in RedDelta’s customized PlugX variant_**
_(Source: Recorded Future Triage)_


-----

#### Mitigations

  - Configure your intrusion detection systems (IDS),

intrusion prevention systems (IPS), or any network
defense mechanisms in place to alert on — and upon
review, consider blocking illicit connection attempts
from — the external IP addresses and domains listed in
**Appendix A.**

  - Where possible, alert on use of known disk image file

types, such as ISO, and shortcut files, which have been
[increasingly abused by threat actors in recent times.](https://www.proofpoint.com/uk/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world)
Furthermore, organizations should consider disabling
auto-mounting of ISO files.

  - Practice network segmentation and ensure special

protections exist for sensitive information, such as multifactor authentication and extremely restricted access
and storage on systems only accessible via an internal
network.

  - Disable basic and legacy authentication where possible,

as these can allow attackers to bypass in-place security
measures.

  - Keep all software and applications up to date — in

particular, operating systems, antivirus software, and
core system utilities.

  - Filter email correspondence and scrutinize attachments

for malware.

  - Employ host-based controls; one of the best defenses

and warning signals to thwart attacks is to conduct
client-based host-logging and intrusion detection
capabilities.

  - Implement basic incident response and detection

deployments and controls like network IDS, netflow
collection, host-logging, and web proxy, alongside human
monitoring of detection sources.


#### Outlook

RedDelta continues to be a highly persistent threat activity
group conducting operations targeting organizations across
Asia and Europe. Throughout 2022, we have identified RedDelta
operators iterating and adding new defense evasion and antianalysis methods to the group’s customized PlugX variant at a
rapid pace. Despite this, many elements of the group’s TTPs
have remained consistent over time. While RedDelta has shown
a propensity for targeting certain geographic regions over many
years, particularly Vietnam and Myanmar, the group has also
demonstrated the ability to quickly shift targeting in line with
emerging geopolitical developments.


-----

#### Appendix A — Indicators of Compromise

Network Infrastructure:

Below is a list of IP addresses used by RedDelta active in November/December 2022 (as of 2022/12/06):

5.34.182[.]68 (last seen:2022/12/06)

38.55.105[.]46 (last seen:2022/12/06)

43.154.25[.]220 (last seen:2022/12/06)

45.90.59[.]153 (last seen:2022/12/06)

45.147.26[.]45 (last seen:2022/12/06)

82.118.21[.]86 (last seen:2022/12/06)

88.218.193[.]76 (last seen:2022/12/06)

88.218.193[.]247 (last seen:2022/12/06)

103.192.226[.]46 (last seen:2022/12/06)

103.192.226[.]87 (last seen:2022/12/06)

114.115.138[.]44 (last seen:2022/12/06)

185.80.201[.]4 (last seen:2022/12/06)

62.233.57[.]49 (last seen:2022/12/01)

185.14.29[.]26 (last seen:2022/11/15)

Additional select historical IP addresses used by RedDelta from March to October 2022 (please note that VPS IP addresses
are ephemeral indicators and change ownership over time):

195[.]123[.]208[.]140 (last seen:2022/10/31)

45.32.101[.]7 (last seen:2022/10/30)

5.34.178[.]156 (last seen:2022/10/30)

5.34.176[.]17 (last seen:2022/10/13)

107.181.160[.]16 (last seen:2022/10/06)

103.79.120[.]71 (last seen:2022/10/02)

103.79.120[.]68 (last seen:2022/09/23)

103.79.120[.]70 (last seen:2022/09/11)

184.164.89[.]173 (last seen:2022/09/10)

82.118.21[.]248 (last seen:2022/08/27)

103.79.120[.]72 (last seen:2022/08/18)

64.34.216[.]44 (last seen:2022/08/17)

64.34.205[.]178 (last seen:2022/08/16)


-----

64.34.216[.]50 (last seen:2022/08/15)

64.34.205[.]41 (last seen:2022/06/28)

64.34.205[.]45 (last seen:2022/06/28)

107.178.71[.]200 (last seen:2022/06/27)

107.167.64[.]6 (last seen:2022/06/25)

69.90.190[.]110 (last seen:2022/06/15)

185.239.226[.]7 (last seen:2022/06/15)

45.134.83[.]29 (last seen:2022/06/12)

104.255.174[.]59 (last seen:2022/05/24)

104.255.174[.]60 (last seen:2022/05/24)

104.255.174[.]58 (last seen:2022/05/20)

43.254.218[.]128 (last seen:2022/05/15)

104.255.174[.]54 (last seen:2022/05/03)

104.255.174[.]55 (last seen:2022/05/03)

104.255.174[.]53 (last seen:2022/05/02)

155.94.200[.]214 (last seen:2022/04/27)

155.94.200[.]215 (last seen:2022/04/27)

155.94.200[.]216 (last seen:2022/04/27)

69.90.184[.]125 (last seen:2022/04/22)

155.94.200[.]211 (last seen:2022/04/13)

155.94.200[.]206 (last seen:2022/04/12)

155.94.200[.]209 (last seen:2022/04/12)

103.192.226[.]38 (last seen:2022/03/24)

103.107.104[.]6 (last seen:2022/03/18)

107.167.64[.]4 (last seen:2022/03/09)
```
Domains:

```
microsite-manager[.]com

mashupdatabase[.]com

blogdirve[.]com


-----

```
Malware Samples:

```
1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9
Unilateral statement by the Commission on migration.iso

c50f7305bd1d085e642588e16fb130bced4a69eae0b0fc48c1c93e4935dc70d4
Unilateral statement by the Commission on migration.docx.lnk

b35a9716e180b6a4cc92ccdc5d5825c62a41b4f13c0e38b757b2f47b202fc012
LMIGuardianDll.dll

d6e0903b9d9464c90c2007d84e8cf2387359c693a04c349cf0b551e65f860181
LMIGuardianDll.dat

84cc77c788e3f5848893fb8b3cf3085d951d942ed79cae357984e42a27024e6e
Written comments of Hungary.rar

720263e2330c07c1def2e63ca722272c1cc3b30ebea6bd7b9c6d9e4826803cc7
Written comments of Hungary.doc.lnk

e5e396be385d38f69566aa141de3030ffe4eaad8afb244a2c22df4b6db425478
LMIGuardianDll.dll

ef2b6b411b79f751d73e824302ca00ff9f0d759a6eea02d2cfb11390d0e9379b
LMIGuardianDll.dat

5b027ada26a610e97ab4ef9efb1118b377061712acec6db994d6aa1c78a332a8
SWC 202022.iso

0055E6385633CA35AB3AC70F56D18D90B8D5A5894A5D8E738E567C3F7FB337BE
Godišnji izveštaj EK o Srbiji.pdf.lnk

397cc7543c3b485d9d6ad4d9bc1b25ad098b6484b6a1c4edbd71558103ab0eb3
LMIGuardianDll.dll

1765476a354244c6acba50b8f948d2afe23963ecc3a4cbf1f890a7385562d919
LMIGuardianDat.dat

f70d3601fb456a18ed7e7ed599d10783447016da78234f5dca61b8bd3a084a15
Political Guidance for the new EU approach towards Russia.rar

8e27900949a087349488d82e7434937bd253d31749041bb0233000a7339fc3e1
ClassicExplorer32.dll

3e33897fcbf2f830b665489017a843146955ef67061bd58f004c418b6b97e9ea
Political Guidance for the new EU approach towards Russia.doc.lnk

9c1ea202237726984b754d17528cfab0212ff9587bbffaf01c8535277b01c24a
ClassicExplorerLog.dat


-----

7558ff23586298a27fd504558884c880bcd17cd9ccf5379587c61be03653fd7a
State of play in EU trade policy.zip

7afbd413c8df77b0c1e0de046c6a726b5afce28efc06f7986c1d8c107cfa89b1
AcroDistDLL.dll

131209d5e752300d4af86375abd81d244467b50238e2ffecf62239efaec6e361
State of play in EU trade policy.docx.lnk

458e19df6dc3402b2b12f473c9aec138d64a289c1539a92dd70cfae281c58838
AcroScan.dat

79f5c7ee5f1cd22759816c0b90dc9ac8427c9e5450be8b0395cb49dd0ff4e284
General background to the Red-White-Red - Card.zip

becdb31a669676dac3e797fb6db482f9fd644853e73fc28eb0031bd58487d081
General background to the Red-White-Red - Card.doc.lnk

adb61bb5e3941e3824f57e98b2739a00ce4d6e3aa4af2257f99c9698f584753a
AcroDistDLL.dll

bfa84b7b4802a480fab498a16a1d177c46495df8f4f950f5d73e9cb220988e2a
AcroScan.dat


-----

#### Appendix B — Mitre ATT&CK Techniques

|Appendix B — Mitre ATT&CK Techniques|Col2|
|---|---|
|Tactic: Technique|ATT&CK Code|
|Resource Development: Acquire Infrastructure — Virtual Private Server|T1583.003|
|Resource Development: Acquire Infrastructure — Domains|T1583.001|
|Initial Access: Phishing Spearphishing Attachment|T1566.001|
|Initial Access: Phishing — Spearphishing Link|T1566.002|
|Execution: User Execution — Malicious File|T1204|
|Defense Evasion: Hijack Execution Flow — DLL Search Order Hijacking|T1574.001|
|Defense Evasion: Deobfuscate/Decode Files or Information|T1140|
|Defense Evasion: Hide Artifacts — Hidden Files and Directories|T1564.001|
|Defense Evasion: Hide Artifacts — Hidden Window|T1564.003|
|Defense Evasion: Masquerading — Match Legitimate Name or Location|T1036.005|
|Defense Evasion: Masquerading — Double File Extension|T1036.007|
|Command-and-Control: Encrypted Channel: Symmetric Cryptography|T1573.001|
|Command-and-Control: Data Encoding: Standard Encoding|T1132.001|
|Exfiltration: Exfiltration over C2 Channel|T1041|


-----

#### Appendix C — Extracted PlugX Configs

**Config Field** **Value**

Decoy Document Name General background to the Red-White-Red-Card.docx

Mutex AcroDistMGzXRY

File Path AcroDistJBM

Marker test2023

C2 - 1 107.181.160[.]16:443

C2 - 2 107.181.160[.]16:443

C2 - 3 107.181.160[.]16:443

_Table 3: Extracted config from bfa84b7b4802a480fab498a16a1d177c46495df8f4f950f5d73e9cb220988e2a (Source: Recorded Future)_

**Config Field** **Value**

Decoy Document Name State of play in EU trade policy.docx

Mutex AcroDistBGoFSQ

File Path AcroDistDIr

Marker eu

C2 - 1 64.34.205[.]178:443

C2 - 2 64.34.205[.]178:443

C2 - 3 64.34.205[.]178:443

_Table 4: Extracted config from 458e19df6dc3402b2b12f473c9aec138d64a289c1539a92dd70cfae281c58838 (Source: Recorded Future)_

**Config Field** **Value**

Decoy Document Name

Mutex ClassicExplorepDvoov

File Path ClassicExploreFvN

Marker test222

C2 - 1 5.34.178[.]156:443

C2 - 2 5.34.178[.]156:443

C2 - 3 5.34.178[.]156:443

_Table 5: Extracted config from 9c1ea202237726984b754d17528cfab0212ff9587bbffaf01c8535277b01c24a (Source: Recorded Future)_

**Config Field** **Value**

Decoy Document Name

Mutex LMIGuardianEsKRrY

File Path LMIGuardianjIg

Marker test

C2 - 1 62.233.57[.]49:443

C2 - 2 62.233.57[.]49:443

C2 - 3 62.233.57[.]49:443

_Table 6: Extracted config from 1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9 (Source: Recorded Future)_

|Appendix C — Extracted PlugX Configs|Col2|
|---|---|
|Config Field|Value|
|Decoy Document Name|General background to the Red-White-Red-Card.docx|
|Mutex|AcroDistMGzXRY|
|File Path|AcroDistJBM|
|Marker|test2023|
|C2 - 1|107.181.160[.]16:443|
|C2 - 2|107.181.160[.]16:443|
|C2 - 3|107.181.160[.]16:443|

|Config Field|Value|
|---|---|
|Decoy Document Name|State of play in EU trade policy.docx|
|Mutex|AcroDistBGoFSQ|
|File Path|AcroDistDIr|
|Marker|eu|
|C2 - 1|64.34.205[.]178:443|
|C2 - 2|64.34.205[.]178:443|
|C2 - 3|64.34.205[.]178:443|

|Config Field|Value|
|---|---|
|Decoy Document Name|Political Guidance for the new EU approach towards Russia.docx|
|Mutex|ClassicExplorepDvoov|
|File Path|ClassicExploreFvN|
|Marker|test222|
|C2 - 1|5.34.178[.]156:443|
|C2 - 2|5.34.178[.]156:443|
|C2 - 3|5.34.178[.]156:443|

|Config Field|Value|
|---|---|
|Decoy Document Name|Unilateral statement by the Commission on migration.docx|
|Mutex|LMIGuardianEsKRrY|
|File Path|LMIGuardianjIg|
|Marker|test|
|C2 - 1|62.233.57[.]49:443|
|C2 - 2|62.233.57[.]49:443|
|C2 - 3|62.233.57[.]49:443|


-----

C2 - 3 62.233.57[.]49:443

_Table 7: Extracted config from 5b027ada26a610e97ab4ef9efb1118b377061712acec6db994d6aa1c78a332a8 (Source: Recorded Future)_

**Config Field** **Value**

Decoy Document Name Written comments of Hungary.docx

Mutex LMIGuardianvSqtmC

File Path LMIGuardianpfc

Marker test

C2 - 1 45.90.59[.]153:443

C2 - 2 45.90.59[.]153:443

C2 - 3 45.90.59[.]153:443

_Table 8: Extracted config from 84cc77c788e3f5848893fb8b3cf3085d951d942ed79cae357984e42a27024e6e (Source: Recorded Future)_

|Config Field|Value|
|---|---|
|Decoy Document Name|Godišnji izveštaj EK o Srbiji.pdf|
|Mutex|LMIGuardianRqEbeL|
|File Path|LMIGuardianqqH|
|Marker|ser|
|C2 - 1|62.233.57[.]49:443|
|C2 - 2|62.233.57[.]49:443|
|C2 - 3|62.233.57[.]49:443|

|Config Field|Value|
|---|---|
|Decoy Document Name|Written comments of Hungary.docx|
|Mutex|LMIGuardianvSqtmC|
|File Path|LMIGuardianpfc|
|Marker|test|
|C2 - 1|45.90.59[.]153:443|
|C2 - 2|45.90.59[.]153:443|
|C2 - 3|45.90.59[.]153:443|


-----

About Insikt Group[®]

Recorded Future’s Insikt Group, the company’s threat research division, comprises

analysts and security researchers with deep government, law enforcement, military, and

intelligence agency experience. Their mission is to produce intelligence that reduces

risk for clients, enables tangible outcomes, and prevents business disruption.

About Recorded Future[®]

Recorded Future is the world’s largest intelligence company. The Recorded

Future Intelligence Platform provides the most complete coverage across adversaries,

infrastructure, and targets. By combining persistent and pervasive automated data

collection and analytics with human analysis, Recorded Future provides real-time

visibility into the vast digital landscape and empowers clients to take proactive

action to disrupt adversaries and keep their people, systems, and infrastructure safe.

Headquartered in Boston with offices and employees around the world, Recorded

Future works with more than 1,500 businesses and government organizations across

60 countries.

Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture.


-----