Listen to this Post
Introduction:
A state-sponsored threat actor tracked as UNC6508 (nexus to the People’s Republic of China) executed a stealthy, year-long espionage campaign against North American research institutions spanning academic, medical, and military sectors. By exploiting externally facing REDCap (Research Electronic Data Capture) servers, the attackers deployed a custom malware payload called INFINITERED, intercepted software upgrade processes, and used a novel email exfiltration technique named “Patroit” to silently siphon sensitive data via BCC rules.
Learning Objectives:
- Understand how UNC6508 compromises REDCap servers, maintains persistence through upgrade hooks, and exfiltrates credentials encrypted inside database tables.
- Identify indicators of compromise (IOCs) and YARA rules for INFINITERED, plus defensive measures including phishing-resistant MFA and legacy software removal.
- Implement detection logic for malicious email compliance rules (e.g., “Patroit”) across Microsoft 365 and Google Workspace using regular expression analysis.
You Should Know:
- Intercepting the REDCap Upgrade Process – Persistence via Malicious Code Injection
UNC6508 gained initial access by exploiting unpatched vulnerabilities in externally facing REDCap instances (versions prior to 13.1.0 are known to have multiple RCE flaws). Rather than modifying core files directly, they tampered with the automatic upgrade mechanism. When REDCap checks for updates, the malware replaces legitimate update scripts with a backdoor that re-installs INFINITERED after each upgrade.
Step‑by‑step guide to detect and block this technique:
- Linux (REDCap server): Monitor integrity of upgrade-related directories.
Check for unexpected modifications in REDCap web root sudo find /var/www/redcap -1ame ".php" -mtime -30 -exec grep -l "base64_decode|eval|system" {} \; Verify checksums against known good baseline sha256sum /var/www/redcap/Resources/upgrade.php > current_checksum.txt diff known_good_checksum.txt current_checksum.txt - Prevention: Use immutable deployment patterns (e.g., read-only container images) and disable automatic upgrades; instead, apply patches from a trusted internal repository after integrity validation. Set file integrity monitoring (FIM) on `/var/www/redcap` with tools like AIDE or OSSEC.
- Credential Harvesting – Hiding Data in Legitimate Database Tables
INFINITERED hooks into the PHP `post_process` hook of REDCap, capturing POST request bodies containing login credentials. The malware then encrypts stolen credentials using AES-128-CBC (hardcoded key derived from server hostname) and stores them inside existing REDCap database tables – specifically the `redcap_log_event` table’s `description` column, blending with legitimate logs.
Detection commands (MySQL/MariaDB):
-- Look for unusually long or base64-looking entries in log description SELECT description, LENGTH(description) FROM redcap_log_event WHERE LENGTH(description) > 500 AND description REGEXP '^[A-Za-z0-9+/=]+$'; -- Check for POST request entries with no corresponding user agent SELECT FROM redcap_log_event WHERE description LIKE '%POST%' AND user_agent = '';
Windows / IIS environment: Review HTTP POST logs for repeated credential submissions to /redcap/index.php?route=login. Use PowerShell to extract suspicious POST bodies:
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\u_ex.log" | Select-String "POST /redcap/index.php" |
ForEach-Object { $_ -match "username=(.?)&password=(.?) " | Out-1ull; Write-Host "User: $($Matches[bash])" }
3. Global Hook Backdoor – Cookie-Based C2 Communication
The attackers registered a custom REDCap hook (ExternalHook global) that executes on every page load. This backdoor parses HTTP Cookie headers for a specific parameter (e.g., X-Cookie-Token) containing encrypted command data. Commands include file exfiltration, privilege escalation, and dropping additional tools. Traffic hides inside Obfuscation (OBF) networks – compromised SOHO routers and residential proxy pools.
Network detection (Zeek/Suricata rule snippet):
Extract cookie patterns from HTTP traffic
sudo tcpdump -i eth0 -A -s 0 'tcp port 80 or port 443' | grep -iE "Cookie:.X-Cookie-Token=[A-Za-z0-9]{32,}"
Mitigation: Implement TLS inspection and block HTTP cookies exceeding 500 bytes. Configure WAF rules to alert on repeated cookie parameter name variations. Use threat intelligence feeds to sinkhole known OBF residential proxy IPs.
4. Privilege Escalation via Internal Reconnaissance
After gaining a foothold, UNC6508 performed internal reconnaissance to discover enterprise administrator accounts. They enumerated LDAP/Active Directory from the compromised REDCap server (which often has integrated authentication). Using stolen service account credentials, they moved laterally to a domain controller, then created a new global admin in Microsoft 365 / Google Workspace.
Commands to detect lateral movement (Windows Event Logs):
Check for unusual LDAP queries originating from web server
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object { $<em>.Properties[bash].Value -like "LDAP" }
List recently created privileged users
Get-ADUser -Filter {Enabled -eq $true} -Properties WhenCreated | Where-Object { $</em>.WhenCreated -gt (Get-Date).AddDays(-30) }
Hardening: Enforce phishing-resistant MFA (FIDO2 or smart card) for all enterprise admins. Restrict outbound LDAP from application servers via Windows Firewall. Use Azure AD Identity Protection to detect high-risk sign-ins.
5. Novel Exfiltration – “Patroit” Email Compliance Rule
The most striking technique: UNC6508 manipulated domain‑wide content compliance rules (a legitimate feature in Microsoft 365 Exchange and Google Workspace). They created a rule named “Patroit” that uses regular expressions to match keywords such as (military strategy|advanced technology|pathogen|vaccine research|F35|hypersonic). When an email (incoming or outgoing) matches, the rule silently BCCs a copy to an attacker‑controlled external mailbox.
Step‑by‑step detection and remediation:
- Microsoft 365 (Exchange Online): Use PowerShell to list all compliance rules and inspect regex patterns.
Connect-ExchangeOnline Get-TransportRule | Format-List Name, Condition, Actions Look for rules with "BlindCopyTo" action and no legitimate owner description Get-TransportRule -Identity "Patroit" | Remove-TransportRule -Confirm:$false
- Google Workspace: Audit content compliance rules via GAM (Google Workspace Admin CLI).
gam print rules | grep -E "Patroit|blind_copy|regex" Delete malicious rule gam delete rule patroit-rule-id
- Proactive defense: Disable external BCC in compliance rules unless absolutely necessary. Implement alerting when any content compliance rule is created or modified (audit log monitoring). Train security teams to treat email forwarding rules as high‑risk IOC.
6. Obfuscation Networks and Traffic Concealment
UNC6508 chained compromised SOHO routers (often with default credentials) and residential proxy services (e.g., Luminati, now Bright Data) to mask their command‑and‑control traffic. This made IP‑based blocking ineffective. The INFINITERED malware uses HTTPS with legitimate certificates but sends beacon data inside Cookie headers that resemble normal session tokens.
Detection: Deploy network flow analysis to identify “jittery” beacon patterns – periodic outbound HTTPS requests with high entropy cookie values.
Extract unique cookie lengths from PCAP
tshark -r capture.pcap -Y "http.cookie" -T fields -e http.cookie | awk '{print length}' | sort | uniq -c
Look for cookie lengths consistently between 200-500 bytes
Mitigation: Use SSL/TLS decryption (with proper governance) and apply machine learning based anomaly detection on HTTP header statistics. Block known residential proxy ASNs at the firewall.
7. IOCs and YARA Rules for INFINITERED
Mandiant released YARA rules to detect the custom payload. Key indicators include:
– Mutex name: `Global\INFINITERED_HOOK`
– Registry persistence: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` with value `RedCapUpgradeHelper`
– File hashes (example – replace with actual from Mandiant report)
YARA rule snippet:
rule INFINITERED_Payload {
strings:
$a = "REDCap_Upgrade_Injector" wide ascii
$b = "base64_decode" nocase
$c = "patch_request" nocase
condition:
($a or $b) and $c and filesize < 2MB
}
Deployment: Integrate YARA with EDR (e.g., CrowdStrike, SentinelOne) or run manually:
yara64.exe -r infini-yara.yar C:\REDCap\webroot\
What Undercode Say:
- Key Takeaway 1: Attackers increasingly abuse legitimate enterprise features – here, email compliance rules – to evade detection. Traditional DLP and perimeter controls are blind to internal rule manipulation.
- Key Takeaway 2: The REDCap ecosystem (widely used in research) has become a prime target. Institutions must treat REDCap as a critical asset, applying zero trust principles, patching aggressively, and isolating it from enterprise identity stores.
Analysis (10 lines):
UNC6508 demonstrates that espionage groups now combine application‑specific malware (INFINITERED) with cloud misconfigurations. The Patroit rule is especially concerning because it leverages an admin feature intended for legal compliance, turning it into a silent spy channel. Most organisations never audit content compliance rules after initial setup. Furthermore, the use of OBF networks and residential proxies shows that threat actors have commoditised anonymisation. Defence must shift to detecting behavioural anomalies – such as a web server making LDAP queries or a sudden creation of a BCC rule. The year‑long undetected presence indicates that traditional SIEM alerts on volume‑based exfiltration fail against this low‑and‑slow approach. Proactive hunting using the IOCs and YARA rules provided by Mandiant is essential. Finally, removing legacy software and enforcing FIDO2 tokens would have blocked the privilege escalation chain entirely.
Prediction:
- -1: Expect copycat groups to adopt the “Patroit” technique across other SaaS platforms (e.g., Slack, Teams, Box), using compliance APIs to siphon data without touching traditional endpoints. Defenders will struggle to distinguish malicious rules from legitimate data governance policies.
- -1: The REDCap supply chain will become a recurring target; unless the project mandates code signing and upgrades via signed packages, similar downgrade attacks will succeed against under‑resourced academic medical centers.
- +1: Mandiant’s public release of IOCs and YARA rules will trigger rapid detection in commercial EDR and NDR tools, reducing the average dwell time for existing compromises from one year to weeks.
- -1: OBF networks and residential proxies will continue evolving with AI‑generated traffic patterns that mimic real user behaviour, rendering current ML models ineffective without continuous retraining.
- +1: Cloud providers (Google, Microsoft) will introduce automated audit alerts for mass BCC rule creations or regex patterns matching classified keywords, turning this weakness into a telemetry goldmine for threat hunters.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Sophisticated Espionage – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
