Mar 30, 2023 saw the uncovering of a custom Windows and Linux backdoor called KEYPLUG, attributed to the Chinese state-sponsored threat activity group RedGolf. The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022. Subsequently, in October 2022, Malwarebytes reported a campaign targeting government entities in Sri Lanka in early August and leveraging a novel implant called DBoxAgent to deploy KEYPLUG. The GhostWolf infrastructure consists of 42 IP addresses that function as KEYPLUG command-and-control. The cybercriminals have also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX. To protect against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.
Key Points:
1. The Chinese state-sponsored threat activity group RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
2. The GhostWolf infrastructure consists of 42 IP addresses that function as KEYPLUG command-and-control.
3. RedGolf has been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains to act as communication points for Cobalt Strike and PlugX.
4. Organizations can protect against RedGolf attacks by applying patches regularly, monitoring access to external facing network devices, and tracking and blocking identified command-and-control infrastructure.
5. Trend Micro has discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.