UNC6508 Targets REDCap Servers: Espionage via INFINITERED Malware

Overview of UNC6508 Espionage Campaign

Google Threat Intelligence Group (GTIG) has identified a sophisticated and persistent espionage campaign, attributed with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus APT. This threat actor has extensively targeted institutions within the North American academic, medical, and military research communities. The campaign, which remained largely undetected for over a year, involved the exploitation of externally facing web applications, deployment of custom malware dubbed INFINITERED, Lateral Movement into sensitive internal systems, and the novel abuse of enterprise administrative tools for covert data exfiltration. UNC6508’s intelligence collection aspirations are broad, encompassing national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and critical medical research, as detailed by Google Threat Intelligence Group.

The targeted organizations span world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies. Their collective research budgets run into billions of dollars, underscoring the high-value nature of the intelligence sought by the threat actor. The earliest known compromise dates back to September 2023, showcasing a consistent operational pattern focused on long-term data acquisition.

Technical Analysis and Attack Chain of UNC6508 REDCap Server Compromise

Initial Access: REDCap Exploitation and Web Shell Deployment

The primary vector for initial access involved the exploitation of externally facing REDCap (Research Electronic Data Capture) servers. REDCap is a widely used web-based platform for managing online databases and surveys in medical and scientific research. While GTIG could not confirm the exact initial access method, UNC6508 was observed probing for vulnerable legacy versions of REDCap. This highlights the critical importance of not only applying security patches rapidly but also removing older software versions completely to prevent downgrade attacks.

Upon gaining a foothold, UNC6508 conducted internal reconnaissance and credential discovery, obtaining database and service account credentials. A web shell named help.php was deployed to maintain persistence and facilitate file uploads within the REDCap application, establishing a persistent presence within the compromised environment.

INFINITERED Malware: Components and Functionality

Approximately three months after initial compromise, UNC6508 deployed its custom malware, INFINITERED. This sophisticated payload integrates into legitimate REDCap system files, maintaining functionality across three modular components:

• Dropper and Upgrade Interception: INFINITERED ensures persistence by injecting its code into new REDCap versions during the upgrade process. This mechanism ensures the malware survives updates, a significant challenge for detect INFINITERED malware efforts and remediation. In Elastic Beanstalk environments, additional steps are taken to ensure cloud persistence.
• Credential Harvester: Injected into the authentication system file, this component captures usernames and passwords from POST requests during the login process. Encrypted credentials are then concealed within a legitimate REDCap sessions database table, prefixed with xc32038474a to the Session ID, complicating detection by blending with normal database activity.
• Backdoor: Established in the custom hooks system file, the backdoor executes on every REDCap page load. It uses a specific HTTP Cookie parameter (REDCAP-TOKEN) and value to receive encrypted commands. Without a command payload, it acts as a beacon, returning system details like OS, PHP version, and database credentials. With a payload, it can execute arbitrary shell commands, run SQL queries, and transfer files, providing robust C2 capabilities.

Novel Data Exfiltration via Content Compliance Rules

More than a year after initial access, UNC6508 leveraged harvested credentials to access an administrator account. This highlights the dangers of credential reuse and the necessity of robust identity management, including multi-factor authentication. In a novel TTP not previously observed from PRC-nexus threat actors, UNC6508 manipulated legitimate cloud-based enterprise productivity suite features: content compliance rules.

The actor created a compliance rule named “Patroit” (sic) using regular expressions to match keywords and email address patterns in sent or received emails. Matched emails were silently BCC-forwarded to an actor-controlled Gmail address (BebitaBarefoot774[@]gmail[.]com), creating a continuous and covert stream of exfiltrated data. The terms targeted in this rule suggest a strategic focus on geo-strategic policy, military strategy, advanced technology, and specific medical research, like the Chikungunya pathogen, indicating an alignment with PRC strategic intelligence priorities.

Sophisticated Operations Security (OpSec)

UNC6508 exhibited meticulous OpSec. They relied heavily on Obfuscation (OBF) networks, routing offensive traffic through compromised routers, residential proxies, and Virtual Private Servers (VPS) predominantly located in the US. This sophisticated proxy infrastructure significantly complicates efforts to establish accurate attribution and trace infrastructure. The dedicated use of a mass-created Gmail account solely for exfiltration further demonstrates their commitment to remaining undetected.

Actionable Recommendations and Mitigations

Organisations in the academic, medical, and military research sectors, particularly those utilising REDCap, must prioritise robust security measures to counter campaigns like those by UNC6508. Effective mitigation strategies include:

• REDCap Patching and Legacy Version Removal: Immediately update all REDCap installations to the latest software version. Crucially, remove all older and legacy versions of REDCap completely to eliminate potential attack surfaces, particularly for REDCap legacy version exploitation tactics.
• Enhanced Account Security: Enforce phishing-resistant 2-Step Verification (2SV) for all enterprise administrator accounts, including those managed by third-party Identity Providers (IdP). Implement unique, strong credentials across different security domains to prevent credential replay attacks.
• Prevent Cookie Theft: Deploy Device Bound Session Credentials (DBSC) with Context-Aware Access (CAA) for highly sensitive accounts on Windows devices to mitigate session hijacking risks.
• Comprehensive Logging and Monitoring: Enable and actively monitor Audit logs across all platforms (e.g., Workspace logs in your SIEM). Specifically, audit changes to content compliance rules and administrator actions to detect unauthorised modifications.
• Data Loss Prevention (DLP): Define and enforce stringent DLP rules to prevent or alert on the external sharing of sensitive data, especially email content matching strategic keywords.
• Security Information and Event Management (SIEM) Coverage: Ensure your SIEM system has comprehensive coverage, integrating logs from all cloud and on-premises environments, including Workspace logs, to facilitate the identification of IoCs and anomalous activities.
• Password Leak Detection: Utilise tools like Chrome Enterprise Password Leak Detection to alert when potentially compromised password use is detected.
• Scan for INFINITERED Malware: Implement detection capabilities, including the provided YARA rule, to scan REDCap servers and other systems for the presence of INFINITERED malware and associated IoCs. The provided IoCs in the GTIG collection are vital for proactive defence.

Key Indicators of Compromise (IoCs)

Organisations should review and integrate the following IoCs into their security monitoring and detection systems:

• Network Indicator:
  • Email: BebitaBarefoot774@gmail.com (Email exfiltration account)
  • IP: 23.169.65.49 (Source of admin login, compromised ASUS router)
• Host Indicators:
  • b49e334d-9c01-463e-9bc5-00a6920fb66e (INFINITERED software version GUID delimiter)
  • xc32038474a (INFINITERED REDCap database session ID prefix)
• File SHA256s (for persistence, credential harvester, backdoor, and dropper components):
  • ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 (help.php web shell)
  • db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136 (Credential Harvester)
  • c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b (Credential Harvester)
  • 8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec (Backdoor)
  • 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 (Backdoor)
  • 4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b (Dropper)
  • 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86 (Dropper)

Defenders should also leverage the provided YARA rule to proactively scan their environments for components of the INFINITERED malware, bolstering their ability to detect INFINITERED malware efficiently.