HomeCyber BalkansMustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

Published on

spot_img


 

PlugX Variant DOPLUGS

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

“The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter,” Trend Micro researchers Sunny Lu and Pierre Lee said in a new technical write-up.

Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.

PlugX is a staple tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It’s known to be active since at least 2012, although it first came to light in 2017.

The threat actor’s tradecraft entails carrying out well-forged spear-phishing campaigns that are designed to deploy custom malware. It also has a track record of deploying its own customized PlugX variants such as RedDeltaThorHodur, and DOPLUGS (distributed via a campaign named SmugX) since 2018.

Compromise chains leverage a set of distinct tactics, using phishing messages as a conduit to deliver a first-stage payload that, while displaying a decoy document to the recipient, covertly unpacks a legitimate, signed executable that’s vulnerable to DLL side-loading in order to side-load a dynamic-link library (DLL), which, in turn, decrypts and executes PlugX.

The PlugX malware subsequently retrieves Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a Mustang Panda-controlled server.

In December 2023, Lab52 uncovered a Mustang Panda campaign targeting Taiwanese political, diplomatic, and governmental entities with DOPLUGS, but with a notable difference.

“The malicious DLL is written in the Nim programming language,” Lab52 said. “This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library.”

DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is orchestrated to download the general type of the PlugX malware.

Trend Micro said it also identified DOPLUGS samples integrated with a module known as KillSomeOne, a plugin that’s responsible for malware distribution, information collection, and document theft via USB drives.

This variant comes fitted with an extra launcher component that executes the legitimate executable to perform DLL-sideloading, in addition to supporting functionality to run commands and download the next-stage malware from an actor-controlled server.

It’s worth noting that a customized PlugX variant, including the KillSomeOne module designed for spreading via USB, was uncovered as early as January 2020 by Avira as part of attacks directed against Hong Kong and Vietnam.

“This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionalities and features,” the researchers said. “The group remains highly active, particularly in Europe and Asia.”

-REFERENCE: https://thehackernews.com/2024/02/mustang-panda-targets-asia-with.html

K.Z



Source link

Latest articles

DEF CON 32: Exploiting Self-Hosted GitHub Runners with Grand Theft Actions

At the annual DEF CON 32 conference, a presentation titled "Grand Theft Actions: Abusing...

Key Trends and Challenges in the UK’s Cybersecurity Landscape for 2025

In the ever-evolving landscape of cybersecurity, organisations are constantly challenged to stay ahead of...

Santee provides limited information on cyber attack or data recovery contract

The city of Santee, California, has been dealing with a data security incident for...

The Critical Importance of Data Minimization Standards

In the realm of data protection, the concept of data minimization plays a crucial...

More like this

DEF CON 32: Exploiting Self-Hosted GitHub Runners with Grand Theft Actions

At the annual DEF CON 32 conference, a presentation titled "Grand Theft Actions: Abusing...

Key Trends and Challenges in the UK’s Cybersecurity Landscape for 2025

In the ever-evolving landscape of cybersecurity, organisations are constantly challenged to stay ahead of...

Santee provides limited information on cyber attack or data recovery contract

The city of Santee, California, has been dealing with a data security incident for...