Tracking Adversaries: RedZei, Chinese-speaking scammers targeting Chinese students in the UK

-

 


Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual automated voicemail. 

I got the recorded voicemails and identified that they are almost certainly scam calls from Chinese-speaking fraudsters targeting Chinese international students at universities in the UK. I have tracked this campaign for over a year and built a profile on the group's activities based on just the calls and voicemails they have left. I am now disclosing these attempts and subsequently tracking this activity group as "RedZei" (aka "RedThief").

The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation. A quick OSINT search found several recent articles about this apparently lucrative malicious campaign:

The compelling aspect about this scam is how well the attempts were crafted and the careful tradecraft employed to evade traditional steps users take to block such scams. For each wave of scam calls, RedZei will mostly use a new pay-as-you-go +44 UK phone number every time from one of the main mobile network operators (MNOs). This essentially renders blocking the scammers phone numbers ineffective. 

Further, as RedZei alternates between SIMs from several UK mobile carriers it is difficult for the telecom companies to stop this type of activity. As the activity is also in Chinese, the carriers are less likely to investigate this campaign to additional effort required. The RedZei group, and others like it, are therefore effectively operating with impunity and will continue to do so for the foreseeable future.

Figure 1 - Calls associated with RedZei campaign 

Figure 1 contains a timeline of when these scam calls are made, including the origin of the caller's number, the mobile carrier (identified using OSINT), the date and time of the call, as well as the theme of the call. As I am not a Chinese speaker and did not get all of the voicemails verified by Chinese speakers, the theme of some of them is currently unknown. The phone numbers in plaintext are available in a Gist here.

Some of the key attributes of the RedZei gang includes leveraging Chinese enterprises, such as the Bank of China or China Mobile (CMLink) to social engineer the international students into providing their personal details. Other themes exploited by RedZei includes the "abnormal usage of your NHS number" and international parcels being delivered from DHL, which are both common concerns for Chinese students studying in the UK. 

Figure 2 - Diamond Model highlighting the attributes of RedZei

To build a better understanding of the RedZei scammers, I created a simple Diamond Model diagram to highlight the attributes of the activity group for continued tracking (see Figure 2).

If you're interested in listening to the Chinese scam calls and translating the ones I was not able to, I have uploaded them to SoundCloud here:


Please feel free to leave a comment on the Gist here if you are able to translate calls from any of the numbers referenced in this blog.

Thanks for reading. Happy New Year and have a good 2023!

UPDATE: GitHub user "freela819" has kindly provided additional context on surrounding the nature of the other calls made by the RedZei group (available in the Gist here). Additional voicemail themes leveraged by RedZei includes masquerading as Chinese government officials, such as the Chinese Embassy in the UK, the Chinese Ministry of Industry and Information Technology (MIIT), and the Chinese Communications Administration, as well as other couriers such as Royal Mail and UPS. 

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more