ASEC (AhnLab Security Emergency response Center) has recently reported that in order to deploy PlugX malware, threat actors are exploiting vulnerabilities in Chinese remote desktop programs like:-
The use of these flaws on compromised systems continues to be exploited to deliver a variety of payloads as a result of ongoing abuses. The following are included:-
- Sliver post-exploitation framework
- XMRig cryptocurrency miner
- Gh0st RAT
- Paradise ransomware
There are a number of malware on this list, but PlugX is the most recent. Chinese threat actors have extensively used modular malware, with new features constantly being added to aid in the theft of sensitive information and control of systems.
Groups use PlugX
In the past, PlugX has been used by a number of recognized APT threat groups in their attacks, including:-
- Mustang Panda
The majority of these APT groups are Chinese since they are primarily based in that country. There are several plugins with different features that are supported by PlugX, which is a module-based malware.
China-based APT threat groups are known to use PlugX as one of their major backdoors to compromise their targets. There is a long history behind the distribution of this malware, which dates back to 2008, when the first attacks were carried out.
With the passage of time, it has evolved and there are now many variants, and each variant has a unique set of features that can benefit cyber criminals.
According to the report, Cyber attackers have been successful in exploiting system vulnerabilities in attacks that ASEC has observed. An executable and a DLL file are retrieved from a remote server after hackers exploit the flaws using a PowerShell command.
The executable being discussed here is a legitimate HTTP Server Service since it comes from ESET, a company that offers cybersecurity solutions.
Once the DLL file is loaded, the PlugX payload is run in memory. Although this technique is used for legitimate purposes, it can also be exploited by malicious actors.
There are many trusted binaries used by PlugX operators, including many anti-virus executables, which are vulnerable to side-loading by DLLs. A number of studies have demonstrated that this technique is effective in infecting victims.
Additionally, one of the most notable features of the backdoor is its ability to:
- Transmits collected information
- Request command again
- Reset connection
- Upload configuration data
- Update configuration data
- Pings port 53 from the transmitted address
- Download and execute files from an external source
- Start service
PlugX continues to be improved with new features even today, as it continues to be used in attacks on a regular basis.
Moreover, there is a possibility that an attacker can gain control over an infected system by installing PlugX without the user knowing. It is consequently possible for a variety of malicious behavior to be perpetrated as a result of this.