alert for Windows and Linux! Chinese RedGolf KEYPLUG set to hit you

High alert for Windows and Linux! Chinese RedGolf KEYPLUG set to hit you

2 Mins Read

PUREVPNNewsHigh alert for Windows and Linux! Chinese RedGolf KEYPLUG set to hit you

According to Recorded Future, a Chinese state-sponsored threat activity group known as RedGolf has been linked to the utilization of a personalized backdoor named KEYPLUG, which targets both Windows and Linux operating systems. 

The group has allegedly been active for an extended period, targeting various industries globally and rapidly exploiting newly reported vulnerabilities such as Log4Shell and ProxyLogon. 

Additionally, RedGolf has a history of developing and deploying multiple customized malware families. The utilization of KEYPLUG by Chinese actors was initially disclosed by Manidant, which is owned by Google, in March 2022. The attacks using this backdoor targeted several U.S. state government networks from May 2021 to February 2022.

A glance to understand

  • In early August, Malwarebytes revealed a series of cyberattacks that targeted government entities in Sri Lanka, using a new malware implant named DBoxAgent to deploy KEYPLUG. 
  • These incidents were connected to the Winnti group (also known as APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future suggested has a close association with RedGolf. 
  • Although no particular victimology was detected in the recent RedGolf activity, the cybersecurity company indicated that the group’s primary motive appears to be intelligence gathering rather than financial gain, based on its resemblance to prior cyberespionage campaigns. 

Recorded Future has uncovered a group of KEYPLUG samples and operational infrastructure (dubbed GhostWolf) utilized by the attackers from 2021 to 2023, as well as their usage of other tools such as Cobalt Strike and PlugX.

Armory of KEYPLUG

The KEYPLUG command-and-control network known as GhostWolf comprises 

  • 42 IP addresses that are part of RedGolf’s infrastructure. 
  • The group has been found to use both traditional and Dynamic DNS domains with a technology-related theme to serve as communication points for PlugX and Cobalt Strike.

Recorded Future expects RedGolf to maintain a fast-paced approach and exploit weaknesses in external-facing corporate systems (such as VPNs, mail servers, and firewalls) to gain entry to targeted networks.

“RedGolf will continue to target victims with KEYPLUG malware and its derivatives using command and control infrastructure spanning a variety of hosting providers.”

Pledge to be secure 

RedGolf attacks can be prevented if organizations apply patches regularly, monitor command and control infrastructures, and configure monitor systems. Adding technology with malware is what’s happening and there is a need to add technology in prevention too. Companies need to be proactive to adopt the best security protocols. 

Remember! Ignorance is no excuse when it comes to your security.

author

PureVPN

date

March 31, 2023

time

1 year ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android
Posted on May 16, 2024
Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack

Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack
Posted on May 14, 2024
South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches

South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches
Posted on May 14, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN