RedGolf, a threat group with ties to the Chinese government, has been identified as being responsible for using a specialized backdoor called KEYPLUG on both Windows and Linux systems.
RedGolf, a group believed to be supported by the Chinese government, has been very active for a long time, targeting various industries around the world. This information was shared with The Hacker News by Recorded Future.
The group has displayed the capability to swiftly exploit recently discovered weaknesses (such as Log4Shell and ProxyLogon) and has past experience crafting and deploying various types of customized malicious software.
In March 2022, Manidant - a subsidiary of Google - revealed that Chinese hackers utilized KEYPLUG to carry out cyber attacks on various state government systems in the United States from May 2021 to February 2022.
In early August, Sri Lankan government entities were targeted in a series of attacks using a unique implant called DBoxAgent, which deployed KEYPLUG. Malwarebytes reported on this incident in October 2022.
Winnti (also known as APT41, Barium, Bronze Atlas, or Wicked Panda) was said to be responsible for both of these campaigns. According to Recorded Future, Winnti has strong connections with RedGolf.
According to Recorded Future, there is no specific target group that has been identified in the recent RedGolf activity. It is believed that this activity is more focused on gathering information rather than purely for financial gain based on the similarity it shares with previous cyber-espionage campaigns.
The cybersecurity company uncovered evidence of a hacking group's activity from 2021 to 2023, including the use of KEYPLUG and an operational infrastructure nicknamed GhostWolf. They also identified the group's use of other tools such as Cobalt Strike and PlugX.
GhostWolf's infrastructure includes 42 IP addresses, which serve as control centers for the KEYPLUG tool. The group uses a combination of both standard and Dynamic DNS domains with a focus on technology-related themes to support their operations. Communication aspects related to Cobalt Strike and PlugX.
According to the company statement, RedGolf will maintain a strong pace of activity and promptly exploit weaknesses in corporate devices that are accessible to external sources, such as VPNs, firewalls, and mail servers. Their objective is to gain entry into targeted networks as quickly as possible.
Moreover, it is probable that the group will keep incorporating fresh customized software programs into their existing toolkit, like KEYPLUG.
To defend against RedGolf attacks, it is recommended that organizations regularly apply patches to monitor access to external-facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detection.
Trend Micro has disclosed that their research has unveiled over 200 individuals or organizations that have been targeted by Mustang Panda (also known as Earth Preta) in a widespread cyber espionage campaign involving multiple sub-groups since the year 2022.
Most of the cyber attacks have been identified in Asia, with Africa, Europe, the Middle East, Oceania, North America and South America following suit.
According to Trend Micro, there is significant evidence of a sophisticated cyber espionage operation involving the integration of traditional intelligence techniques and digital data collection. This suggests a high level of organization and coordination.