Telecommunications and manufacturing sectors in Central and South Asian countries are currently facing threats from an ongoing cyber campaign utilizing a new variant of the PlugX malware, also known as Korplug or SOGU. Cisco Talos researchers, Joey Chen and Takahiro Takeda, highlighted in their recent analysis that this variant shares characteristics with the RainyDay and Turian backdoors, employing similar techniques for DLL side-loading and utilizing a distinctive algorithm for payload encryption.
The configuration of this PlugX variant notably deviates from its traditional format, resembling the structure found in RainyDay, which is linked to a Chinese threat actor identified as Lotus Panda. This group is also known as Naikon APT and is believed to be associated with other threat groups, including Cycldek, based on its operational patterns and targeting methodologies.
PlugX is a prominent remote access trojan (RAT) that has been extensively recognized for its usage by various China-aligned hacking entities, including the Mustang Panda group. The Turian backdoor, conversely, has been specifically used for cyber operations against the Middle East.
Detection of a specific incident revealed that Lotus Panda targeted a telecommunications firm in Kazakhstan, a nation that borders Uzbekistan, which has been a previous target of backdoor attacks. Both hacking groups seem to have a shared interest in South Asian countries, indicating possible connections in their operations.
The attack methodology often involves injecting a malicious DLL into a legitimate application, thereby allowing for the execution of PlugX, RainyDay, and Turian payloads directly in memory. Recent operations by these threat actors prominently utilized PlugX, which is now integrated with an embedded keylogger plugin—a significant upgrade to its capabilities.
Despite the lack of concrete evidence linking Naikon with BackdoorDiplomacy, Talos researchers have identified overlapping indicators, such as target selection, payload encryption methods, and toolsets, suggesting a common origin or vendor for these tools.
In conjunction with these findings, Palo Alto Networks’ Unit 42 recently detailed the Bookworm malware, which has been used by the Mustang Panda actor since 2015 to exert control over compromised systems. Bookworm features capabilities for command execution, file manipulation, and data exfiltration, employing deceptive C2 practices to avoid detection during operations.
Attack chains associated with Bookworm and PlugX leverage DLL side-loading for payload execution, with Bookworm’s newer variants employing advanced techniques, such as encoding shellcode as UUID strings for loading.
The provided insights showcase a continued evolution in the practices of cyber actors linked to Chinese threat landscapes, emphasizing a prolonged commitment to the development and deployment of sophisticated malware tools.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.