Chinese government-backed threat group tracked as red golf It is allegedly caused by the use of a custom Windows and Linux backdoor called KEYPLUG.
Recorded Future told HackerNews, “RedGolf is a particularly prolific Chinese government-backed threat actor group that may have been active across a wide range of industries around the world for many years.
“The group has demonstrated the ability to rapidly weaponize newly reported vulnerabilities (such as Log4Shell and ProxyLogon) and has a history of developing and using various custom malware families.”
Use of KEYPLUG by Chinese threat actors was first revealed by Google-owned Manidant in March 2022 in attacks targeting multiple US state government networks between May 2021 and February 2022 it was done.
Then, in October 2022, Malwarebytes detailed another series of attacks targeting Sri Lankan government entities in early August. This attack utilized a new implant called DBoxAgent to deploy his KEYPLUG.
Both of these campaigns are by Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), and Recorded Future says it “closely overlaps” with RedGolf.
Recorded Future said, “We have not observed any specific victims as part of the latest highlighted RedGolf activity.” “However, due to the overlap with previously reported cyber espionage activities, we believe it is likely that this activity was carried out for espionage purposes rather than financial gain.”
Cybersecurity firms have discovered clusters of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by hacking groups from at least 2021 to 2023, along with the use of other tools such as Cobalt Strike and PlugX. pointed out.
The GhostWolf infrastructure consists of 42 IP addresses that act as KEYPLUG command and control. Hostile groups have also been observed to utilize a mix of both traditional registered domains and dynamic DNS domains, often featuring technology themes and serving as points of communication for Cobalt Strike and PlugX. increase.
“RedGolf continues to exhibit high operational tempo, rapidly weaponizing vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to targeted networks,” the company said. I’m here.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
Additionally, this group may continue to adopt new custom malware families to add to existing tools such as KEYPLUG. ”
To defend against RedGolf attacks, organizations regularly apply patches, monitor access to external-facing network devices, track and block identified command and control infrastructure, and monitor for malware detections. We recommend that you configure your intrusion detection or prevention system to
Findings reveal Trend Micro has found over 200 victims of the Mustang Panda (aka Earth Preta) attack since 2022 as part of a broader cyber espionage campaign orchestrated by various subgroups. Brought to you when
The majority of cyberattacks are detected in Asia, followed by Africa, Europe, Middle East, Oceania, North America, and South America.
“There are strong indications that traditional espionage and cyber collection operations are intertwined, indicating a highly coordinated and sophisticated cyber espionage operation,” Trend Micro said.
