In a recent technical investigation, critical insights were discovered into the infrastructure associated with a suspected Chinese state-backed cyber actor known as “RedGolf.” The group, also referred to as APT41, BARIUM, or Earth Baku, came under scrutiny following a report by Recorded Future’s Insikt Group in March 2023. Their investigation unveiled significant connections to more recent campaigns, particularly infrastructure tied to mid-2024 attacks on Italian organizations.
The focal point of the analysis revolved around the utilization of historical Transport Layer Security (TLS) certificates, which offered distinct identifiers and operational patterns linked to the ongoing activity. The examination of GhostWolf’s infrastructure initiated with a comprehensive analysis of 39 IP addresses associated with the threat actor according to the Insikt Group’s IoC dataset.
A significant discovery involved certificates from the wolfSSL library, an open-source SSL/TLS library widely used in embedded systems and secure communications. One key anomaly identified was the alteration of the Organizational Unit (OU) field in these certificates – while legitimate example certificates used “Consulting_1024,” the malicious certificates changed this to “Support_1024,” resulting in a unique TLS fingerprint. Researchers proceeded to utilize the Hunt SSL History tool to unveil 122 IP addresses linked to this certificate’s SHA-256 hash.
Further refinement through JA4X fingerprinting – an advanced extension of the JA3 TLS fingerprinting method – narrowed down results to 41 unique IPs sharing a similar configuration. By amalgamating multiple distinctive indicators such as the anomalous OU field, certificate SHA-256 hash, and JA4X fingerprint, researchers developed advanced search queries to pinpoint still-active infrastructure related to GhostWolf.
Tools such as Hunt’s Advanced Search were instrumental in identifying six active IP addresses displaying consistent characteristics. These servers exhibited synchronized behavior, predominantly operating on HTTPS (port 443) or alternate ports like 8443. Noteworthy observations included the reuse of hosting providers spanning geographies such as The Constant Company, LLC, and Nebula Global LLC. Additionally, anomalies like overlapping IP ranges with previously identified threats reinforced suspicions of ongoing operations.
A server hosting a suspected variant of the GhostWolf certificate was also identified. This server’s certificate bore similarities to legitimate wolfSSL examples but showcased timestamps aligning closely with the Support_1024 infrastructure. Although definitive attribution to RedGolf remains ambiguous, the geographic location and hosting provider align with previously reported Command-and-Control operations.
This analysis underscores the tenacity of threat actors like RedGolf/APT41. Their consistent use of modified certificates, uniform hosting providers, and closely related IP ranges suggest a deliberate endeavor to sustain infrastructure longevity while evading detection. The findings accentuate the pivotal role of TLS certificate analysis and advanced fingerprinting techniques in detecting and tracking sophisticated threat actors.
The continuation of subtle certificate modifications, along with consistent infrastructure setups, necessitates vigilant defense strategies. Regular analysis of TLS certificates for unusual fields and leveraging enhanced fingerprinting tools like JA4+ are crucial steps in detecting and isolating malicious server configurations from benign traffic. By embracing these practices, defenders can anticipate adversary activity, mitigate risks, and bolster overall network security posture.
The investigation into GhostWolf’s infrastructure exemplifies the significance of persistent monitoring and historical data analysis in combatting resolute state-backed cyber threats. This case serves as a reminder of the ever-evolving landscape of cyber threats and the importance of proactive defense measures to thwart malicious actors.