Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers

  • A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan (RAT) on compromised systems.

    Attributing the intrusions to a threat actor named PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks’ Unit 42 threat intelligence team said it identified a version of the modular PlugX malware called Thor that was delivered as a post-exploitation tool to one of the compromised servers. Dating back to as early as 2008, PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell.

    “The variant observed […] is unique in that it contains a change to its core source code: the replacement of its trademark word ‘PLUG’ to ‘THOR,'” Unit 42 researchers Mike Harbison and Alex Hinchliffe noted in a technical write-up published Tuesday. “The earliest THOR sample uncovered was from August 2019, and it is the earliest known instance of the rebranded code. New features were observed in this variant, including enhanced payload-delivery mechanisms and abuse of trusted binaries.”

    After Microsoft disclosed on March 2 that China-based hackers — codenamed Hafnium — were exploiting zero-day bugs in Exchange server collectively known as ProxyLogon to steal sensitive data from select targets, multiple threat actors, such as ransomware groups (DearCry and Black Kingdom) and crypto-mining gangs (LemonDuck), were also observed exploiting the flaws to hijack Exchange servers and install a web shell that granted code execution at the highest privilege level.

    PKPLUG now joins the list, according to Unit 42, who found the attackers bypassing antivirus detection mechanisms to target Microsoft Exchange Server by leveraging legitimate executables such as BITSAdmin to retrieve a seemingly innocuous file (“Aro.dat”) from an actor-controlled GitHub repository. The file, which houses the encrypted and compressed PlugX payload, alludes to a freely available advanced repair and optimization tool that’s designed to clean up and fix issues in the Windows Registry.

    The latest sample of PlugX comes equipped with a variety of plug-ins that “provide attackers various capabilities to monitor, update and interact with the compromised system to fulfil their objectives,” the researchers said. THOR’s links to PKPLUG stem from piecing together the command-and-control infrastructure as well as overlaps in the malicious behaviors detected among other recently discovered PlugX samples.

    Additional indicators of compromise associated with the attack can be accessed here. Unit 42 has also made available a Python script that can decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.