RedAlpha Cyber Espionage C2

The RedAlpha APT group, linked to the Chinese state, has been spying organizations through massive phishing campaigns

RedAlpha specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational since at least 2015.

Advertisements

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

The APT has been observed directly targeting Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. The targets align closely with Chinese interests. The purpose is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including typosquatted Yahoo (135 domains), Google (91 domains), and Microsoft (70 domains).

The researchers say that characteristics of the group’s efforts include the use of *resellerclub[.]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.