Hackers Exploiting Remote Desktop Program Flaws to Install PlugX Malware

ASEC (AhnLab Security Emergency response Center) has recently reported that in order to deploy PlugX malware, threat actors are exploiting vulnerabilities in Chinese remote desktop programs like:-

  • Sunlogin
  • AweSun

The use of these flaws on compromised systems continues to be exploited to deliver a variety of payloads as a result of ongoing abuses. The following are included:-

There are a number of malware on this list, but PlugX is the most recent. Chinese threat actors have extensively used modular malware, with new features constantly being added to aid in the theft of sensitive information and control of systems.

Groups use PlugX

In the past, PlugX has been used by a number of recognized APT threat groups in their attacks, including:-

  • Mustang Panda
  • Winnti
  • APT3
  • APT41

The majority of these APT groups are Chinese since they are primarily based in that country. There are several plugins with different features that are supported by PlugX, which is a module-based malware.

Technical Analysis

China-based APT threat groups are known to use PlugX as one of their major backdoors to compromise their targets. There is a long history behind the distribution of this malware, which dates back to 2008, when the first attacks were carried out.

With the passage of time, it has evolved and there are now many variants, and each variant has a unique set of features that can benefit cyber criminals.

According to the report, Cyber attackers have been successful in exploiting system vulnerabilities in attacks that ASEC has observed. An executable and a DLL file are retrieved from a remote server after hackers exploit the flaws using a PowerShell command.

The executable being discussed here is a legitimate HTTP Server Service since it comes from ESET, a company that offers cybersecurity solutions.

Once the DLL file is loaded, the PlugX payload is run in memory. Although this technique is used for legitimate purposes, it can also be exploited by malicious actors.

There are many trusted binaries used by PlugX operators, including many anti-virus executables, which are vulnerable to side-loading by DLLs. A number of studies have demonstrated that this technique is effective in infecting victims.


Additionally, one of the most notable features of the backdoor is its ability to:

  • Transmits collected information
  • Request command again
  • Plugin-related
  • Reset connection
  • Auto-delete
  • Upload configuration data
  • Update configuration data
  • Pings port 53 from the transmitted address
  • Download and execute files from an external source
  • Start service

PlugX continues to be improved with new features even today, as it continues to be used in attacks on a regular basis. 

Moreover, there is a possibility that an attacker can gain control over an infected system by installing PlugX without the user knowing. It is consequently possible for a variety of malicious behavior to be perpetrated as a result of this.

Network Security Checklist – Download Free E-Book

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago