Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor
A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
“RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally,” Recorded Future told The Hacker News.
“The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families.”
The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.
Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.
Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said “closely overlaps” with RedGolf.
“We have not observed specific victimology as part of the latest highlighted RedGolf activity,” Recorded Future said. “However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyberespionage campaigns.”
The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.
The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.
“RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks,” the company said.
“Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG.”
To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.
The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.
A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.
“There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation,” Trend Micro said.