In Central and South Asian countries, telecommunications and manufacturing sectors have emerged as the goal of an ongoing campaign distributing a new version of a known malware. Plugx (Aka Korplg or Sogu).
“The new version features are overlap with both Time of need And Turian Backdores, including the misuse of the same legitimate applications for DLL side-loading, the Xor-RC4-RTLDECPRESSSBUFFER Elgorithm is used to encrypted/decrypt the payload and used the RC4, “Sisko Tellom Researchers Joi Chain and Takedish Takeda said in one analysis this week.
The cyber security company stated that the configuration associated with the plugX variants is quite different from the general plugx configuration format, instead to adopt the same structure used in the rendend, a backdoor associated with the danger actor associated with China, which is known as Lotus Panda (aka Naikon Apt). It is also probably tracked as Foundcore by Kasperki and is responsible for a Chinese speaking danger group called Cyclidech.
PlugX is a modular remote access Trojan (RAT) used widely by many China-based hacking groups, but most prominently Mustang Panda (aka Basin, Bronze President, Camero Dragon, Artha Prata, Honeymite, Reddaleta, Red Lick, Store Totorus, Tempeccle).
On the other hand, the Turian (aka Querion or Whitebird), is employed in specifically cyber attacks as a backdoor, which targets the Middle East by another advanced consistent danger (APT) group, in which relations with China are referred to as backdardardaplomepsy (aka cloudpagging or feking dragon).
Victimology pattern – especially focus on telecommunications companies – and technical malware implementation obtained evidence suggesting the potential relationship between Kamal Panda and Backdorplomepsy, increasing the possibility that either two clusters are one and the same, or they are getting their equipment from a general seller.
In an incident mentioned by the company, Nicon has stated that it has targeted a telecom firm in Kazakhstan, a country that shares its borders with Uzbekistan, which is previously sung by backdordiplomepsy. What is more, both hacking crew have been found zero in South Asian countries.
The chain of the attack essentially involves misuse of a valid execution associated with the mobile popup application, which is then used to side a malicious DLL, which is used to decry and launch the plugx, rande, and Turian payload in memory. The recent attack waves by the danger actor have tilted heavy on plugx, which uses the same configuration structure as a rain and includes an embedded keylogger plugin.
“While we cannot conclude that there is a clear relationship between nicon and backdardyplomepsy, there are important overlapping aspects – such as the choice of the target, the methods of encryption/decryption payload, the methods of the Encrysting key, reuse and the use of equipment supported by the same seller,” Tellow said. “These similarities suggest a medium belief link for a Chinese speaking actor in this campaign.”
Mustang Panda’s bookworm malware detailed
This disclosure comes as the Palo Alto Network Unit 42, which highlights the internal functioning of the bookworm malware used by the Mustang Panda actor since 2015, which receives comprehensive control over the compromised system. Advanced rats fit with capabilities for arbitrary performing the command, uploading/downloading files, exflanting data and establishing frequent access.
Prior to this March, the cyber security seller said that he identified countries targeting countries associated with South East Asian nations (ASEAN) to distribute malware.
The bookworm worm uses a valid -looking domain or C2 objectives to mix with a normal network traffic. Selected variants of malware have also been found to share overlap with a known backdoor tonshell associated with Mustang Get from the end of 2022.
Like PlugX and Tonshell, chain payloads distributing bookworms depend on DLL side-loading for execution, although the new variants have adopted a technique in which packaging shellcode is universally included as unique identifier (UUID) strings, which are then decoded and executed.
“Bookworm is known for its unique modular architecture, which can be expanded by loading additional modules directly from its command-end-control (C2) server,” said Kyle Wilhoit, a researcher at Unit 42. “This modularity makes stable analysis more challenging, as the leader module depends on other DLLs to provide specific functionality.”
“This is a perfect and bookworm adaptation, parallel to other luxurious Taurus operations, displays its long -term role in the arsenal of the actor. It also indicates a constant, long -term commitment for its growth and use by the group.”
