HQ/EMEAFind out how we can help your business
The China-backed threat operation from RedGolf Group has executed a cyberattack that uses the KEYPLUG backdoor to infect Windows and Linux operating systems. Based on reports, the RedGolf Group has been targeting various industries worldwide for years.
This group has been notorious for quickly weaponising new vulnerabilities to create a malicious weapon. In addition, these state-sponsored attackers have a history of developing and utilising multiple custom malware strains.
The KEYPLUG backdoor has already compromised several United States government entities.
According to investigations, different Chinese state-sponsored threat groups have already used the KEYPLUG backdoor to attack multiple United States government networks. These attacks started in May 2021 and continued until February 2022.
Furthermore, another research revealed that a Chinese threat group used the backdoor to execute separate attacks that targeted Sri Lankan government agencies. The operation used a novel implant called DBoxAgent to launch the KEYPLUG backdoor.
Researchers attributed the campaigns to Winnti, known as Bronze Atlas, Wicked Panda, APT41, and Barium. A researcher said the campaign is similar to the recent RedGolf operations.
The target selection between the RedGolf campaign and Winnti resembled each other. However, the threat actors conduct these attacks for intelligence gathering rather than financially motivated campaigns. These claims became more apparent after both operations performed cyber espionage.
Researchers also detected more KEYPLUG samples and infrastructure clusters from 2021 to 2023. One infrastructure is GhostWolf, which includes 42 IP addresses that serve as a KEYPLUG C2 server. The threat actors also have combined traditionally registered domains and Dynamic DNS environments. These tolls became a technology theme for the attackers to communicate with its PlugX backdoors and Cobalt Strike.
Cybersecurity experts explained that organisations should apply updates whenever available to defend against RedGolf operations. Moreover, companies should constantly monitor access to external facing network devices and track and obstruct identified C2 infrastructures to mitigate cyberattack damage.
Defence teams should improve their company’s detection and prevention systems to monitor unwanted intrusions.
