According to Recorded Future, a Chinese state-sponsored threat activity group known as RedGolf has been linked to the utilization of a personalized backdoor named KEYPLUG, which targets both Windows and Linux operating systems.
The group has allegedly been active for an extended period, targeting various industries globally and rapidly exploiting newly reported vulnerabilities such as Log4Shell and ProxyLogon.
Additionally, RedGolf has a history of developing and deploying multiple customized malware families. The utilization of KEYPLUG by Chinese actors was initially disclosed by Manidant, which is owned by Google, in March 2022. The attacks using this backdoor targeted several U.S. state government networks from May 2021 to February 2022.
A glance to understand
- In early August, Malwarebytes revealed a series of cyberattacks that targeted government entities in Sri Lanka, using a new malware implant named DBoxAgent to deploy KEYPLUG.
- These incidents were connected to the Winnti group (also known as APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future suggested has a close association with RedGolf.
- Although no particular victimology was detected in the recent RedGolf activity, the cybersecurity company indicated that the group’s primary motive appears to be intelligence gathering rather than financial gain, based on its resemblance to prior cyberespionage campaigns.
Recorded Future has uncovered a group of KEYPLUG samples and operational infrastructure (dubbed GhostWolf) utilized by the attackers from 2021 to 2023, as well as their usage of other tools such as Cobalt Strike and PlugX.
Armory of KEYPLUG
The KEYPLUG command-and-control network known as GhostWolf comprises
- 42 IP addresses that are part of RedGolf’s infrastructure.
- The group has been found to use both traditional and Dynamic DNS domains with a technology-related theme to serve as communication points for PlugX and Cobalt Strike.
Recorded Future expects RedGolf to maintain a fast-paced approach and exploit weaknesses in external-facing corporate systems (such as VPNs, mail servers, and firewalls) to gain entry to targeted networks.
“RedGolf will continue to target victims with KEYPLUG malware and its derivatives using command and control infrastructure spanning a variety of hosting providers.”
Pledge to be secure
RedGolf attacks can be prevented if organizations apply patches regularly, monitor command and control infrastructures, and configure monitor systems. Adding technology with malware is what’s happening and there is a need to add technology in prevention too. Companies need to be proactive to adopt the best security protocols.
Remember! Ignorance is no excuse when it comes to your security.