The telecommunications and manufacturing sectors in central and South Asian countries are emerging as the goal of an ongoing campaign to distribute new variants of known malware Plugx (Ak Korplug or Sogu).
“The new variant features overlap with both Ours and Tulian The same legal application abuse of DLL sideloads, the XOR-RC4-RTLDECOM PRESSBUFFER algorithm used to encrypt/decrypt payloads, states the backdoor using the RC4 key used by Cisco Talos researchers Joey Chen and Takahiro Takeda in this week’s analysis.
The cybersecurity company noted that the configuration associated with the Plugx variant branches significantly from the regular Plugx configuration format and instead employs the same structure used in Rainyday. It can also be attributed to a Chinese-speaking threat group called Cycldek, which Kaspersky tracks as Foundcore.
Plugx is a modular remote access trojan (rat) widely used by many Chinese hacking groups, but the most prominent Mustang Panda (aka Basin, Bronze President, Camaro Dragon, Earth Preta, Honey Mite, Red Delta, Red Rich, Zation Torus, Tempo, Twill Type).
Meanwhile, Turian (aka Bolian or Whitebird) is rated as being used only in cyber attacks targeting China.
The victim patterns – focused specifically on telecom companies – and technical malware implementations generated evidence suggesting a possible connection between Lotuspander and backdried drilling, increasing the likelihood that the two clusters are the same or are getting tools from a common vendor.
In one incident detected by the company, Nikon is said to have targeted a telecom company in Kazakhstan, a country that shares the border with Uzbekistan, previously chosen by Backdrudiprometi. Furthermore, both hacking crews are found to be zero in South Asian countries.
Attack chains are essentially used to abuse legal executables related to mobile pop-up applications, sideload malicious DLLs, and then decrypt and launch Plugx, Rainyday, and Turian payloads in memory. The recent attack wave, organized by threat actors, uses the same configuration structure as Rainyday and leaps heavily towards Plugx, which includes embedded keylogger plugins.
“While we cannot conclude there is a clear link between Naikon and Backdoordiplomacy, there are critical overlap aspects, such as target selection, encryption/decryption payload methods, encryption key reuse, and the use of tools supported by the same vendor,” says Talos. “These similarities suggest a moderate trust in the Chinese-speaking actors in this campaign.”
Mustang Panda BookWorm Malware Details
This disclosure comes as Palo Alto Networks Unit 42 shed light on the internal mechanisms of Book Worm Malware, which Mustang Panda actors have been using since 2015, giving them extensive control over the compromised systems. Advanced Rat is equipped with the ability to run any command, upload/download files, remove data, and establish permanent access.
Earlier this year, cybersecurity vendors said they had identified attacks targeting countries affiliated with the Association of Southeast Asian Countries (ASEAN) to distribute malware.
BookWorm utilizes a domain or compromised infrastructure that appears legal for C2 purposes to melt with normal network traffic. It is also known that some variants of the malware will share overlaps with Toneshell, a known backdoor related to Mustang Pana, starting late 2022.
Like Plugx and Toneshell, Bookworm’s distributed attack chain relies on DLL sideloads for payload execution, but new variations embrace the technology of wrapping shellcodes as universally unique identifier (UUID) strings that are decoded and executed.
“BookWorm is known for its unique modular architecture and allows for core functionality to be extended by loading additional modules directly from a command and control (C2) server,” said Unit 42 researcher Kyle Wilhoit. “This modularity makes static analysis more difficult because the reader module relies on other DLLs to provide specific functionality.”
“The development and adaptation of bookworms running in parallel with other imposing Taurus businesses demonstrates a long-term role in the actor’s arsenal, and also demonstrates a sustained, long-term commitment to development and use by the group.”
