Rising Threat: New PlugX Variant Targets Central and South Asian Telecommunications
Overview of the Malware Landscape
Recent cybersecurity analyses indicate a disturbing trend in the world of malware, particularly impacting the telecommunications and manufacturing sectors in Central and South Asian regions. A new variant of the notorious malware PlugX, also known as Korplug or SOGU, has been identified as part of a persistent campaign targeting these critical industries.
Features of the New PlugX Variant
According to a detailed report from Cisco Talos researchers Joey Chen and Takahiro Takeda, this updated version of PlugX exhibits characteristics reminiscent of both the RainyDay and Turian backdoors. Notably, it employs the same legitimate applications for DLL side-loading, alongside the XOR-RC4-RtlDecompressBuffer algorithm for payload encryption and decryption. The configuration associated with this variant deviates significantly from traditional PlugX structures, opting instead for a format identical to that used by RainyDay, which is linked to the China-based threat group known as Lotus Panda, or Naikon APT.
Tracking the Threat Groups
Further complicating the scenario, Kaspersky has categorized this malware as FoundCore, attributing it to a Chinese-speaking threat group referred to as Cycldek. PlugX itself is a modular remote access trojan (RAT) widely recognized for its extensive use by various Chinese-affiliated hacking collectives, prominently by the Mustang Panda group.
Contrastingly, the Turian backdoor is specifically associated with cyber attacks in the Middle East, executed by another advanced persistent threat (APT) group known as BackdoorDiplomacy. The implications of overlapping tactics and targeted victimology hint at potential links between Lotus Panda and BackdoorDiplomacy. This raises questions about whether the two groups are in fact the same entity or if they are acquiring tools from a shared vendor.
Case Study: Targeted Attacks
One notable instance reported by Cisco Talos involved a telecom company in Kazakhstan. Kazakhstan shares its borders with Uzbekistan, a country also under scrutiny by BackdoorDiplomacy. Both of these groups have demonstrated a concentrated interest in South Asian nations, substantiating claims of potential collaboration or shared operational strategies.
Attack Methodology
The recent attack chains are characterized by the exploitation of a legitimate executable tied to the Mobile Popup Application. This process enables the sideloading of a malicious DLL, which is then utilized to decrypt and activate PlugX, RainyDay, and Turian payloads in memory. In light of this, the current campaign has seen a significant emphasis on PlugX, enhanced by the inclusion of an embedded keylogger plugin.
Researchers from Cisco Talos articulate a cautious stance regarding the relationship between Naikon and BackdoorDiplomacy. Though they cannot definitively establish a direct link, the overlapping features—including target selection, encryption methodologies, and tool usage—strongly suggest a connection to a Chinese-speaking actor behind this wave of cyber operations.
Mustang Panda’s Bookworm Malware
In a parallel development, Palo Alto Networks has provided insights into the Bookworm malware, utilized by the Mustang Panda group since 2015. This advanced RAT offers capabilities such as executing arbitrary commands, uploading and downloading files, and exfiltrating sensitive data.
Earlier this year, instances of Bookworm attacks were reported across countries associated with the Association of Southeast Asian Nations (ASEAN). This malware makes clever use of seemingly legitimate domains or compromised infrastructures to blend in with typical network traffic, enhancing its stealth.
Furthermore, certain variants of Bookworm show similarities to TONESHELL, another backdoor leveraged by Mustang Panda since late 2022. Utilizing DLL side-loading for payload execution, the newer iterations of Bookworm have also adopted a unique approach, incorporating shellcode encapsulated as universally unique identifier (UUID) strings.
The Unique Structure of Bookworm
Unit 42’s researcher Kyle Wilhoit noted that Bookworm’s modular architecture allows for the expansion of its core functionality through additional modules loaded directly from command-and-control servers. This design significantly complicates static malware analysis, as the Leader module relies on various DLLs for specific functionalities.
The ongoing evolution and deployment of Bookworm within Mustang Panda’s operational framework underscore the group’s sustained commitment to developing and refining their malware arsenal.
Conclusion
As cybersecurity landscapes evolve, the emergence of new malware variants like PlugX raises substantial concerns about the vulnerabilities facing telecommunications and manufacturing sectors, particularly in Central and South Asia. The links between various threat actors further complicate the situation, making effective countermeasures increasingly critical.
