Friday, October 11, 2024
HomeCyber AttackRedHotel Chinese APT Hackers Attack Government Entities & Intelligence Organizations

RedHotel Chinese APT Hackers Attack Government Entities & Intelligence Organizations

Published on

Malware protection

RedHotel (TAG-22), a Chinese-state-sponsored threat group, is well-known for its persistence, prominence, operational intensity, and global reach. RedHotel is reported to have acted upon over 17 countries in North America Asia and between 2021 and 2023.

This threat group poses a threat specifically to organizations in Southeast Asia’s government and specified sectors of private companies.

Their operational infrastructure is traced to be linked with China’s Ministry of State Security (MSS) contractor groups. The main focus of RedHotel is intelligence gathering and cyber-espionage.

- Advertisement - SIEM as a Service

RedHotel Infrastructure

RedHotel is found to be employing multi-tiered infrastructure with a narrow focus on reconnaissance and long-term network access through command and control servers. These malware C2 servers were found to be administered from Chengdu, China.

RedHotel C2 infrastructure (Source: Insikt)

In addition to this, the threat group was also involved in the exploitation of Shadowpad and Winnti malware along with other Chinese-state-sponsored actors.

RedHotel uses large quantities of Virtual Private Servers (VPS) as reverse proxies for C2 servers which are configured with ports 80, 443, 8443, and 8080. 

Their tooling includes Spyder, Cobalt Strike, ShadowPad, and PlugX. RedHotel also used Brute Ratel, an advanced red team simulation and adversarial tool.

These threat actors were also responsible for the US State legislature compromise in June 2022 which was discovered by the organization’s communication being routed to RedHotel attributed C2 servers ShadowPad and Cobalt Strike.

Furthermore, the threat group was also part of the Zimbra Collaboration Suite exploitation which targeted several government organisations. This attack was linked with several RedHotel subdomains like 

  • bwlgrafana.itcom888[.]live
  • 8wz3l0m58f.symantecupd[.]com
  • qbxlwr4nkq.itcom666[.]live
  • Fyalluw0.sibersystems[.]xyz

A complete report has been published by Recorded Future which mentions their techniques, tactics, and other detailed information about this threat group.

Indicators of Compromise

Cobalt Strike Loaders

5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d864128548e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed625da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 aeceaa7a806468766923a00e8c4eb48349f10d069464b53674eeb150e0a59123 

Brute Ratel Loaders

6e3c3045bb9d0db4817ad0441ee3c95b8fe3e087388d1ceefb9ebbd2608aef166f31a4656afb8d9245b5b2f5a634ddfbdb9db3ca565d2c52aee6554ede068d1 c00991cfeafc055447d7553a14be2303e105b6a97ab35ecf820b9dbd42826f9d 

Winnti 

5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e74369ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076ef1dcf623a8f8f4b26fe54fb17c8597d6cc3f7066789daf47a5f1179bd7f7001a 

Spyder 

7a61708f391a667c8bb91fcfd7392a328986059563d972960f8237a69e375d505d3a6f5bd0a72ee653c6bdad68275df730b836d6f9325ee57ec32997d5dcef1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5fe053ca5888fb0d5099efed76e68a1af0020aaaa34ca610e7a1ac0ae9ffe36f6e 24d4089f74672bc00c897a74664287fe14d63a9b78a8fe2bdbbf9b870b40d85c

FunnySwitch 

7056e9b69cc2fbc79ba7a492906bcc84dabc6ea95383dff3844dfde5278d9c7aede0c1f0d6c3d982f63abbdd5f10648948a44e5fa0d948a89244a06abaf2ecfe 9eb0124d822d6b0fab6572b2a4445546e8029ad6bd490725015d49755b5845a4

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...