“Operation Dianxun” Has the RedDelta Group Targeting 5G Firms

  • Chinese state actors previously linked with high-profile phishing campaigns are now targeting 5G tech entities.
  • The hackers are possibly looking to collect intelligence around the topic, so this is a cyber-espionage operation.
  • The spearhead payload and the final to be dropped is Cobalt Strike, a frequently abused pen-testing tool.

The Chinese group of hackers known as RedDelta (possibly the same as Mustang Panda), previously linked with phishing campaigns targeting high-ranking Vatican officials, is now reportedly occupied with targeting companies that relate to the roll-out of 5G tech. The purpose of the actors in this campaign called “Operation Dianxun” is to engage in cyber-espionage.

According to McAfee’s ATR (Advanced Threat Research) team following the particular campaign, RedDelta has succeeded up to a point.

Source: McAfee

The initial vector of infection isn’t clear, but it’s possible that a domain under the control of the actors drops malware to the visitors. There are indications about this being a fake Huawei career page (“update[.]careerhuawei[.]net”), so the lure is set to catch telco professionals.

McAfee’s telemetry shows that RedDelta mostly targeted entities in the United States, India, and Europe. These entities directly or indirectly impact the current efforts to roll out 5G networks in their respective countries.

Source: McAfee

The malware itself is masqueraded too, posing as a Flash app, which performs some checks and then proceeds to download the second stage from Flach[.]cn. This is a DonNet utility that helps the actors in reconnaissance, can download additional payloads, and was confirmed to be fetching Cobalt Strike in the form of a base64 encoded gzip file.

Source: McAfee

This is a widely used and abused penetration testing product that enables the attackers to perform remote command execution on the compromised machines, keylogging, mimikatz credential stealing, port scanning, lateral movement, SOCKS proxying, privilege escalation, and more.

Source: McAfee

McAfee believes that Huawei’s ban in several countries across the world is directly related to this campaign, motivating the Chinese actors to dig deeper on how alternative 5G tech providers approach things.

While this makes sense, nobody can say what the goal of the actors is for sure. As for the attribution, there are no doubts about that as we see overlaps with previously recorded infrastructure, toolset, techniques, methods, and the same payloads used by RedDelta.

Latest
How to Watch ‘Sex, Lies and the College Cult’ Online From Anywhere: Stream the Lawrence Ray Documentary
A new and exciting documentary will soon make it to the screens, and you can easily add it to your streaming list...
How to Watch The D’Amelio Show Season 2 Online From Anywhere
The D’Amelio family is back for Season 2 of The D’Amelio Show, a reality series that takes you into the world of...
How to Watch This England Online From Anywhere: Stream Sky’s New Boris Johnson Drama
A highly-anticipated drama that chronicles the story of Boris Johnson and his administration as they respond to the COVID-19 pandemic is going...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]