Security News > 2023 > March > Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG. Both these campaigns were attributed to Winnti, which Recorded Future said "Closely overlaps" with RedGolf.

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX. The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control.

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG.".

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

News URL

https://thehackernews.com/2023/03/chinese-redgolf-group-targeting-windows.html