Recent cybersecurity investigations have unveiled a series of cyberattacks targeting telecommunications and manufacturing sectors in Central and South Asian countries, attributed to malware linked with China-aligned hacking groups. The attacks are notable for heavily employing the PlugX remote access trojan (RAT), also known as Korplug or SOGU. This tool has recently turned into a big hammering tool for any threat actors, even Mustang Panda.
PlugX is a highly modular RAT that has become infamous for its prolific use by a wide range of China-aligned hacking collectives. One of its most infamous users is Mustang Panda, which has been known to operate under several different fronts, including BASIN and Bronze President. As previously mentioned, the attackers employ PlugX as a means of initial access. They pilfer sensitive data from countries associated with the Association of Southeast Asian Nations (ASEAN).
PlugX and Its Variants
PlugX’s most notable attribute is its modular architecture, which enables it to be tailored for use across a wide range of cyber operations. Threat researchers have discovered a variant of PlugX that differs from its usual DLL configuration style. This variant has not only ecological credentials, but structural similarities to RainyDay. RainyDay acts as a backdoor associated with a China-connected threat group known as Lotus Panda, also known as Naikon APT.
One of the most interesting elements to PlugX’s operation is its launching mechanism. It runs in memory together with other payloads like RainyDay and Turian. The trojan decrypts itself and runs with the help of a malicious dynamic-link library (DLL). This DLL uses a living-off-the-land executable (LoL) usually linked to the Mobile Popup Application. This new method of execution only serves to highlight the aggressive, creative means that cybercriminals use to get around security protocols.
“The new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used,” – Cisco Talos researchers Joey Chen and Takahiro Takeda.
Ongoing Campaigns and Targeted Attacks
The campaign distributing PlugX has been ongoing and widespread — most recently targeting a wide range of countries in southern Asia. Cybersecurity experts have identified notable parallels between PlugX and a Typescript backdoor known as TONESHELL. Since late 2022, TONESHELL has been attributed to Mustang Panda. Such a connection indicates a concerted approach by some of these threat actors to exploit weaknesses in several different sectors.
In a recent example, Naikon APT attacked a telecommunications company in Kazakhstan with PlugX. These attacks underscore the growing concern over the security of critical infrastructures not only across Central Asia but South Asia. Cybercriminals are turning up the heat on ever more sensitive networks in their efforts to infiltrate our infrastructure.
“While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects – such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor,” – Talos.
Bookworm’s Role in Cyber Operations
In addition to PlugX, a second malware family operating under the name Bookworm serves a key function in the cyber operations currently being executed by Mustang Panda. Bookworm boasts a special modular architecture. This architecture allows it to extend its base capabilities by loading new modules directly from its command-and-control (C2) server. This remarkable versatility illustrates Bookworm’s importance as a linchpin of the long-term tactics, techniques and procedures (TTPs) used by these threat actors.
Unit 42 researcher Kyle Wilhoit emphasizes the importance of Bookworm’s deployment:
“This deployment and adaptation of Bookworm, running in parallel with other Stately Taurus operations, showcases its long-term role in the actor’s arsenal. It also points to a sustained, long-term commitment to its development and use by the group.”
The concurrent usage of PlugX and Bookworm reflects a sophisticated approach to cyber operations by Stately Taurus (Mustang Panda). These organizations layer several tools at once to strengthen their power. This calculated practice makes it easier for them to penetrate networks and execute their destructive agendas with great efficiency.