RedHotel Chinese APT Hackers Attack Government Entities

RedHotel (TAG-22), a Chinese-state-sponsored threat group, is well-known for its persistence, prominence, operational intensity, and global reach. RedHotel is reported to have acted upon over 17 countries in North America Asia and between 2021 and 2023.

This threat group poses a threat specifically to organizations in Southeast Asia’s government and specified sectors of private companies.

Their operational infrastructure is traced to be linked with China’s Ministry of State Security (MSS) contractor groups. The main focus of RedHotel is intelligence gathering and cyber-espionage.

RedHotel Infrastructure

RedHotel is found to be employing multi-tiered infrastructure with a narrow focus on reconnaissance and long-term network access through command and control servers. These malware C2 servers were found to be administered from Chengdu, China.

*RedHotel C2 infrastructure (Source: Insikt)*

In addition to this, the threat group was also involved in the exploitation of Shadowpad and Winnti malware along with other Chinese-state-sponsored actors.

RedHotel uses large quantities of Virtual Private Servers (VPS) as reverse proxies for C2 servers which are configured with ports 80, 443, 8443, and 8080.

Their tooling includes Spyder, Cobalt Strike, ShadowPad, and PlugX. RedHotel also used Brute Ratel, an advanced red team simulation and adversarial tool.

These threat actors were also responsible for the US State legislature compromise in June 2022 which was discovered by the organization’s communication being routed to RedHotel attributed C2 servers ShadowPad and Cobalt Strike.

Furthermore, the threat group was also part of the Zimbra Collaboration Suite exploitation which targeted several government organisations. This attack was linked with several RedHotel subdomains like

bwlgrafana.itcom888[.]live
8wz3l0m58f.symantecupd[.]com
qbxlwr4nkq.itcom666[.]live
Fyalluw0.sibersystems[.]xyz

A complete report has been published by Recorded Future which mentions their techniques, tactics, and other detailed information about this threat group.

Indicators of Compromise

Cobalt Strike Loaders

5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d864128548e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed625da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 aeceaa7a806468766923a00e8c4eb48349f10d069464b53674eeb150e0a59123

Brute Ratel Loaders

6e3c3045bb9d0db4817ad0441ee3c95b8fe3e087388d1ceefb9ebbd2608aef166f31a4656afb8d9245b5b2f5a634ddfbdb9db3ca565d2c52aee6554ede068d1 c00991cfeafc055447d7553a14be2303e105b6a97ab35ecf820b9dbd42826f9d

Winnti

5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e74369ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076ef1dcf623a8f8f4b26fe54fb17c8597d6cc3f7066789daf47a5f1179bd7f7001a

Spyder

7a61708f391a667c8bb91fcfd7392a328986059563d972960f8237a69e375d505d3a6f5bd0a72ee653c6bdad68275df730b836d6f9325ee57ec32997d5dcef1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5fe053ca5888fb0d5099efed76e68a1af0020aaaa34ca610e7a1ac0ae9ffe36f6e 24d4089f74672bc00c897a74664287fe14d63a9b78a8fe2bdbbf9b870b40d85c

FunnySwitch

7056e9b69cc2fbc79ba7a492906bcc84dabc6ea95383dff3844dfde5278d9c7aede0c1f0d6c3d982f63abbdd5f10648948a44e5fa0d948a89244a06abaf2ecfe 9eb0124d822d6b0fab6572b2a4445546e8029ad6bd490725015d49755b5845a4

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.