Monday, July 15, 2024
EHA

RedHotel Chinese APT Hackers Attack Government Entities & Intelligence Organizations

RedHotel (TAG-22), a Chinese-state-sponsored threat group, is well-known for its persistence, prominence, operational intensity, and global reach. RedHotel is reported to have acted upon over 17 countries in North America Asia and between 2021 and 2023.

This threat group poses a threat specifically to organizations in Southeast Asia’s government and specified sectors of private companies.

Their operational infrastructure is traced to be linked with China’s Ministry of State Security (MSS) contractor groups. The main focus of RedHotel is intelligence gathering and cyber-espionage.

RedHotel Infrastructure

RedHotel is found to be employing multi-tiered infrastructure with a narrow focus on reconnaissance and long-term network access through command and control servers. These malware C2 servers were found to be administered from Chengdu, China.

RedHotel C2 infrastructure (Source: Insikt)

In addition to this, the threat group was also involved in the exploitation of Shadowpad and Winnti malware along with other Chinese-state-sponsored actors.

RedHotel uses large quantities of Virtual Private Servers (VPS) as reverse proxies for C2 servers which are configured with ports 80, 443, 8443, and 8080. 

Their tooling includes Spyder, Cobalt Strike, ShadowPad, and PlugX. RedHotel also used Brute Ratel, an advanced red team simulation and adversarial tool.

These threat actors were also responsible for the US State legislature compromise in June 2022 which was discovered by the organization’s communication being routed to RedHotel attributed C2 servers ShadowPad and Cobalt Strike.

Furthermore, the threat group was also part of the Zimbra Collaboration Suite exploitation which targeted several government organisations. This attack was linked with several RedHotel subdomains like 

  • bwlgrafana.itcom888[.]live
  • 8wz3l0m58f.symantecupd[.]com
  • qbxlwr4nkq.itcom666[.]live
  • Fyalluw0.sibersystems[.]xyz

A complete report has been published by Recorded Future which mentions their techniques, tactics, and other detailed information about this threat group.

Indicators of Compromise

Cobalt Strike Loaders

5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d864128548e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed625da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 aeceaa7a806468766923a00e8c4eb48349f10d069464b53674eeb150e0a59123 

Brute Ratel Loaders

6e3c3045bb9d0db4817ad0441ee3c95b8fe3e087388d1ceefb9ebbd2608aef166f31a4656afb8d9245b5b2f5a634ddfbdb9db3ca565d2c52aee6554ede068d1 c00991cfeafc055447d7553a14be2303e105b6a97ab35ecf820b9dbd42826f9d 

Winnti 

5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e74369ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076ef1dcf623a8f8f4b26fe54fb17c8597d6cc3f7066789daf47a5f1179bd7f7001a 

Spyder 

7a61708f391a667c8bb91fcfd7392a328986059563d972960f8237a69e375d505d3a6f5bd0a72ee653c6bdad68275df730b836d6f9325ee57ec32997d5dcef1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5fe053ca5888fb0d5099efed76e68a1af0020aaaa34ca610e7a1ac0ae9ffe36f6e 24d4089f74672bc00c897a74664287fe14d63a9b78a8fe2bdbbf9b870b40d85c

FunnySwitch 

7056e9b69cc2fbc79ba7a492906bcc84dabc6ea95383dff3844dfde5278d9c7aede0c1f0d6c3d982f63abbdd5f10648948a44e5fa0d948a89244a06abaf2ecfe 9eb0124d822d6b0fab6572b2a4445546e8029ad6bd490725015d49755b5845a4

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles