A Chinese cyberespionage team identified for targeting Southeast Asia leveraged flaws in the Microsoft Trade Server that arrived to mild before this March to deploy a previously undocumented variant of a remote obtain trojan (RAT) on compromised devices.
Attributing the intrusions to a risk actor named PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks’ Unit 42 danger intelligence group stated it recognized a version of the modular PlugX malware known as Thor that was sent as a submit-exploitation software to a single of the compromised servers. Courting back again to as early as 2008, PlugX is a completely-highlighted 2nd-phase implant with abilities this kind of as file add, obtain, and modification, keystroke logging, webcam management, and access to a remote command shell.
“The variant noticed […] is unique in that it contains a change to its main resource code: the substitute of its trademark word ‘PLUG’ to ‘THOR,”http://thehackernews.com/” Device 42 scientists Mike Harbison and Alex Hinchliffe famous in a technological produce-up posted Tuesday. “The earliest THOR sample uncovered was from August 2019, and it is the earliest acknowledged instance of the rebranded code. New characteristics were noticed in this variant, including improved payload-supply mechanisms and abuse of trustworthy binaries.”
Soon after Microsoft disclosed on March 2 that China-centered hackers — codenamed Hafnium — ended up exploiting zero-day bugs in Exchange server collectively identified as ProxyLogon to steal sensitive information from pick targets, numerous threat actors, this sort of as ransomware groups (DearCry and Black Kingdom) and crypto-mining gangs (LemonDuck), were also noticed exploiting the flaws to hijack Exchange servers and set up a world-wide-web shell that granted code execution at the best privilege stage.
PKPLUG now joins the checklist, in accordance to Unit 42, who located the attackers bypassing antivirus detection mechanisms to goal Microsoft Exchange Server by leveraging reputable executables this sort of as BITSAdmin to retrieve a seemingly innocuous file (“Aro.dat”) from an actor-managed GitHub repository. The file, which houses the encrypted and compressed PlugX payload, alludes to a freely out there sophisticated maintenance and optimization resource that’s designed to clean up and correct problems in the Windows Registry.
The hottest sample of PlugX arrives geared up with a variety of plug-ins that “give attackers many abilities to keep track of, update and interact with the compromised technique to fulfil their aims,” the scientists said. THOR’s backlinks to PKPLUG stem from piecing alongside one another the command-and-management infrastructure as very well as overlaps in the malicious behaviors detected among the other lately learned PlugX samples.
Additional indicators of compromise associated with the assault can be accessed in this article. Device 42 has also produced available a Python script that can decrypt and unpack encrypted PlugX payloads without the need of owning the connected PlugX loaders.