With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets

With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets

Primary Logo - Insikt - Digital (RGB).png
Recorded Future Insikt Group a identifié un important groupe de nouvelles infrastructures associées à l'utilisation de la porte dérobée personnalisée KEYPLUG pour Windows et Linux, attribuée à un groupe de cybercriminels très probablement soutenu par l'État chinois et suivi sous le nom de RedGolf. RedGolf présente de nombreuses similitudes avec les activités malveillantes signalées sous les pseudonymes APT41/BARIUM et aurait ciblé des entités gouvernementales américaines. RedGolf aurait également se vantait des liens avec le ministère chinois de la Sécurité d'État (MSS) et ses membres ont déjà été lié à la société Chengdu 404 Network Technology (成都市肆零肆网络科技有限公司), basée à Chengdu.

RedGolf remains highly active within a wide range of geographies and is known to target aviation, automotive, education, government, media, information technology, and religious organizations. Organizations of strategic interest to the Chinese government and security services — are likely at increased risk of targeting. This report examines recent activity of the group, tactics, techniques, and procedures, and offers mitigation strategies for organizations.

According to public reporting, RedGolf used a Linux version of the custom modular backdoor KEYPLUG to target US state government entities during 2021 and 2022. Insikt Group has identified a wider cluster of KEYPLUG samples and operational infrastructure used by RedGolf from at least 2021 to 2023. We actively track this malicious infrastructure using the term GhostWolf. Alongside KEYPLUG, we also identified RedGolf using Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains, all of which are commonly used amongst many Chinese state-sponsored threat groups. Insikt Group identified multiple infrastructure overlaps between publicly reported APT41/BARIUM campaigns across the identified GhostWolf infrastructure cluster.

Teeing-RedGolf-001.png
RedGolf infrastructure and TTPs (Tactics, Techniques, and Procedures) overlaps with APT41 and BARIUM. (Source: Recorded Future)

RedGolf will continue to target victims with KEYPLUG malware and its derivatives using command and control infrastructure spanning a variety of hosting providers. The group has previously utilized a mixture of both traditionally registered domains and DDNS domains, often featuring a technology theme. We believe this TTP will remain relatively unchanged with the exception of a decrease in DDNS use.

The employment of both Cobalt Strike and PlugX to target victim machines by Chinese state-sponsored threat activity groups, such as RedGolf, is highly likely to continue given the feature set provided by these tools, their ready availability, and the ability to obfuscate responsibility due to the number of other threat actors using these techniques.

Recorded Future proactively detects both Cobalt Strike and PlugX servers. We recommend incorporating this feed into blocking lists and/or alerting to prevent infections.

To read the entire analysis with endnotes, click here to download the report as a PDF.