Chinese state-sponsored threat activity group, RedGolf, has been using a custom backdoor called KEYPLUG to target Windows and Linux systems. This prolific group has been active for years, attacking various industries worldwide. They have a history of quickly weaponizing newly reported vulnerabilities like Log4Shell and ProxyLogon and developing a wide range of custom malware families.
Attacks Involving KEYPLUG Backdoor
Google-owned Manidant first disclosed the use of KEYPLUG by Chinese threat actors in March 2022. These attacks targeted multiple U.S. state government networks from May 2021 to February 2022. In October 2022, Malwarebytes detailed another set of attacks targeting government entities in Sri Lanka in early August. These attacks leveraged a novel implant called DBoxAgent to deploy KEYPLUG. Both campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which is closely associated with RedGolf.
Although specific victimology in the latest RedGolf activity is not known, the group’s activities are believed to be for intelligence purposes rather than financial gain due to their connections with previously reported cyberespionage campaigns.
Recorded Future identified KEYPLUG samples and GhostWolf infrastructure used by the hackers from 2021 to 2023. The group has also employed other tools like Cobalt Strike and PlugX. The GhostWolf infrastructure consists of 42 IP addresses functioning as KEYPLUG command-and-control points. RedGolf has been observed using both traditionally registered domains and Dynamic DNS domains with technology themes to communicate with Cobalt Strike and PlugX.
Rapid Exploitation and Evolving Tactics
RedGolf is expected to maintain a high operational tempo, quickly weaponizing vulnerabilities in external-facing corporate appliances such as VPNs, firewalls, and mail servers to gain initial access to target networks. The group is also likely to continue adopting new custom malware families to complement existing tools like KEYPLUG.
To defend against RedGolf attacks, organizations should regularly apply patches, monitor access to external-facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.
Trend Micro reported over 200 Mustang Panda (aka Earth Preta) attack victims in a widespread cyber espionage effort since 2022. Most attacks occurred in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America. The operations show a mix of traditional intelligence tradecraft and cyber collection, indicating highly coordinated, sophisticated espionage.
{{user}} {{datetime}}
{{text}}