Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links

Jan. 24, 2025, 2:23 p.m.

Description

The article analyzes a cluster of network infrastructure associated with KEYPLUG, attributed to a suspected Chinese state-sponsored actor known as RedGolf or APT41. By examining historical TLS certificates and server configurations, researchers uncovered ongoing activity and links to recent operations targeting Italian organizations. The investigation revealed a unique certificate configuration using 'Support_1024' in the Organizational Unit field, along with a specific JA4X fingerprint. This allowed for the identification of active servers potentially linked to the threat actor. The analysis highlights the importance of tracking certificates and incorporating TLS fingerprinting methods for detecting suspicious infrastructure, even when threat actors attempt to blend in with legitimate traffic.

External References

https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity
https://otx.alienvault.com/pulse/679395e237c6dacf9b19f7a8
Tags
apt41
2025-01-24
keyplug
ghostwolf
wolfssl

Date

  • Created: Jan. 24, 2025, 1:30 p.m.
  • Published: Jan. 24, 2025, 1:30 p.m.
  • Modified: Jan. 24, 2025, 2:23 p.m.

Indicators

  • 4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf
  • 88.218.192.22
  • 8.222.243.185
  • 8.222.220.3
  • 8.219.191.81
  • 8.218.156.56
  • 8.213.131.120
  • 67.43.234.150
  • 67.43.234.148
  • 67.43.234.146
  • 67.43.228.22
  • 67.43.228.21
  • 67.43.228.20
  • 67.43.228.19
  • 67.43.228.18
  • 66.42.49.65
  • 65.20.84.44
  • 65.20.79.156
  • 65.20.79.14
  • 65.20.78.223
  • 65.20.70.52
  • 65.20.78.204
  • 65.20.69.6
  • 64.176.83.46
  • 64.176.51.12
  • 64.176.50.30
  • 5.188.34.87
  • 51.79.177.23
  • 47.92.204.81
  • 47.245.99.137
  • 47.245.60.81
  • 45.32.125.90
  • 45.137.10.37
  • 45.32.101.56
  • 45.137.10.166
  • 39.106.32.186
  • 43.130.61.252
  • 38.55.24.53
  • 36.255.220.179
  • 209.141.36.195
  • 205.185.121.28
  • 202.79.173.228
  • 202.79.173.220
  • 202.79.173.211
  • 202.182.121.16
  • 173.209.62.190
  • 173.209.62.189
  • 173.209.62.187
  • 173.209.62.188
  • 158.247.253.114
  • 158.247.245.229
  • 158.247.234.25
  • 158.247.251.91
  • 158.247.203.247
  • 154.31.217.200
  • 154.12.87.168
  • 149.28.131.126
  • 149.28.130.130
  • 139.84.175.197
  • 139.180.213.58
  • 139.180.211.30
  • 139.180.189.81
  • 139.180.188.174
  • 139.180.153.109
  • 139.180.145.193
  • 114.55.6.216
  • 111.180.200.74
  • 108.61.159.145
  • 103.244.148.80
  • 103.234.96.167
  • 103.226.155.98
  • 103.226.155.96
  • 103.146.230.183
  • 103.146.230.165
  • 8.209.255.168
  • 67.43.234.149
  • 67.43.234.147
  • 45.76.150.120
  • 45.148.244.220
  • 43.249.36.84
  • 207.148.71.45
  • 173.209.62.186
  • 154.92.16.198
  • 103.146.230.130
Download all indicators here!

Attack Patterns

  • KEYPLUG.LINUX
  • KEYPLUG - S1051
  • RedGolf

Additional Informations

  • Italy