The pro-party group targets Windows and Linux computers.
The Chinese state-sponsored attacker group, tracked under the name RedGolf, has been seen using a special “KeyPlug” backdoor designed for Windows and Linux systems.
“RedGolf is a particularly active Chinese state-sponsored malicious group that has likely been operating against a wide range of industries around the world for many years. RedGolf has demonstrated the ability to quickly exploit newly identified vulnerabilities (eg Log4Shell and ProxyLogon). The group also has experience in the development and use of a large number of custom malware families,” Recorded Future said.
The use of KeyPlug by Chinese attackers was first exposed by Mandiant in March 2022 in attacks targeting US government networks. Then, in October 2022, Malwarebytes detailed a range of attacks targeting government agencies in Sri Lanka. They used the new "DBoxAgent" implant which was used to deploy the KeyPlug.
Both malware campaigns were then attributed to the Winnti hackers (also known as APT41, Barium, Bronze Atlas or Wicked Panda). According to Recorded Future, the Winnti faction has "close overlap" with the RedGolf intruders.
“We didn't see much victimization in RedGolf's latest activity. However, we believe that these activities are likely to be carried out for exploration purposes, and not for financial gain, ”the Recorded Future publication says.
In addition to KeyPlug, Recorded Future noted the use of the GhostWolf operating infrastructure by the RedGolf team, as well as the Cobalt Strike and PlugX tools. The GhostWolf infrastructure consists of 42 IP addresses that function as a C2 server for the KeyPlug. Hackers have also been seen using a mixture of both traditionally registered domains and dynamic DNS domains as points of contact for Cobalt Strike and PlugX, often with technology themes.
“RedGolf continues to demonstrate a high rate of activity and quickly exploit vulnerabilities in external corporate devices (VPNs, firewalls, mail servers, etc.) to gain initial access to targeted networks. In addition, the group is likely to continue introducing new user-generated malware families in the future, expanding its arsenal,” Recorded Future said in a statement.
To protect against RedGolf attacks, organizations are encouraged to regularly apply patches, monitor access to external network devices, monitor and block identified command and control infrastructure, and configure intrusion detection or prevention systems to track malware detection.