RedNovember is a highly sophisticated Chinese state-sponsored threat actor (tracked previously as TAG-100 and overlapping with Storm-2077) engaged in cyber-espionage operations. Active from at least mid-2024 to mid-2025, RedNovember has demonstrated advanced capabilities in exploiting edge infrastructure, leveraging open-source tools, and aligning its operations with Chinese geopolitical interests. This threat group poses a significant risk to government, defense, aerospace, and high-technology manufacturing sectors globally.
Severity: High
Threat Details
1. Reconnaissance
- RedNovember scans internet-facing systems like VPNs, firewalls, and OWA portals.
- Tools like Acunetix, Burp Suite, and crt.sh are used to gather infrastructure intelligence.
2. Infrastructure Setup
- The group registers deceptive domains (e.g., offiec[.]us[.]kg) and configures VPS-based C2 servers.
- These are used to deliver payloads and facilitate communication with infected hosts.
3. Initial Access
- Access is gained through exploiting edge vulnerabilities or delivering spearphishing lures.
4. Exploited Vulnerabilities
- CVE-2024-3400 (Palo Alto GlobalProtect RCE), CVE-2024-24919 (Check Point VPN Arbitrary File Read), and CVE-2022-30190 (Microsoft Follina Exploit in Word Documents).
5. Execution
- LESLIELOADER is used to load SparkRAT or Cobalt Strike in memory for stealthy execution.
- Payloads often masquerade as software updates or internal IT communications.
6. Command and Control
- C2 traffic flows over HTTPS or non-standard ports to evade detection.
- Infrastructure is obfuscated and sometimes hosted on Chinese ASNs or public services.
7. Post-Exploitation
- Once inside, RedNovember performs lateral movement, internal recon, and data theft.
- Operations align with China’s strategic interests, targeting sensitive government and defense assets.
Toolset
- Backdoors: Pantegana (Go-based), SparkRAT
- Loaders: LESLIELOADER
- Post-exploitation: Cobalt Strike
- File delivery: PDF/Word lure documents, staging via offiec[.]us[.]kg
- Infra tools: VPN tunneling (ExpressVPN, Warp VPN), vulnerability scanners, file sharing platforms (Gofile, pan[.]xj[.]hk)
Victimology
RedNovember’s targeting spans across multiple continents and industry verticals, with key geographies including:
- North America: U.S. defense contractors, oil & gas companies, legal firms, news outlets.
- Asia-Pacific: Taiwan (military and semiconductor R&D), South Korea (nuclear, telecom), Fiji (BRI-aligned sectors).
- Europe: Aerospace & engine manufacturers, space research, law firms.
- South America: Over 30 Panamanian government entities post-geopolitical events.
- Africa: State security and government infrastructure.
Recommendations
- Prioritize patching CVEs exploited by RedNovember (i.e., CVE-2024-3400, CVE-2024-24919, CVE-2022-30190).
- Minimize exposure of VPNs, firewalls, and OWA portals; disable unused interfaces immediately.
- Enforce MFA, especially on externally exposed devices and services.
- Ensure security monitoring and detection capabilities are in place for all external-facing services and devices. Monitor for follow-on activity likely to occur following exploitation of these external-facing services, such as the deployment of web shells, backdoors, or reverse shells, as well as subsequent lateral movement to internal networks.
- Block macro-enabled Office documents and disable embedded scripts.
- Conduct user awareness training on spearphishing techniques. Alert staff about suspicious file attachments or IT department impersonations.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/94c64dbc5b3219c8fc9d02ed37f3a8a63e0069e7fc4f5657389d2e12947c6fec/iocs.
Source:
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.