An upgraded variant of the remote access trojan PlugX has been seen targeting Russian speakers by a China-linked, government-backed threat actor. Secureworks ascribed the attempted attacks to a threat actor known as Bronze President and the broader cybersecurity community as Mustang Panda, TA416, RedDelta, PKPLUG, and HoneyMyte.
“The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations,” the cybersecurity firm said. “This desire for situational awareness often extends to collecting intelligence from allies and’ friends.'”
Bronze President, who has been active since at least July 2018, has a history of conducting espionage operations by compromising, maintaining long-term access, and collecting data from targets of interest using bespoke and publicly accessible tools. PlugX, a Windows backdoor that allows threat actors to execute a range of instructions on infected devices and has been used by various Chinese state-sponsored actors over the years, is the most prominent of its tools.
Secureworks’ latest findings point towards the widening of the same campaign earlier described by Proofpoint and ESET last month. It involved using a new PlugX variant codenamed Hodur, which was so named due to overlaps with another variant called THOR that appeared on the scene in July 2021. The attack chain starts with a malicious application called “Blagoveshchensk – Blagoveshchensk Border Detachment.exe,” which masquerades as a valid document with a PDF icon. It launches a remote server to deliver an encrypted PlugX payload when opened.
“Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment,” as per the researchers. “This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”
The possibility that Russian officials were targeted in the March 2022 effort shows that the threat actor is adapting its methods in reaction to the political environment in Europe and the war in Ukraine. The discoveries come just weeks after Nomad Panda (aka RedFoxtrot), a China-based nation-state organization, was connected with medium confidence to cyberattacks against military and communications industries in South Asia by using yet another version of PlugX called Talisman.
Trellix reported last month that PlugX had been linked to several Chinese actors in recent years. This begs the question of whether the malware’s code is shared across many Chinese state-sponsored entities. But the cybersecurity firm said the suspected release of the PlugX v1 constructor, as reported by Airbus in 2015, suggests that not all PlugX events are necessarily linked to Chinese attackers.