Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).
“The new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used,” Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.
The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It’s also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.
PlugX is a modular remote access trojan (RAT) widely used by many China-aligned hacking groups, but most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon).
Turian (aka Quarian or Whitebird), on the other hand, is assessed to be a backdoor exclusively employed in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with ties to China referred to as BackdoorDiplomacy (aka CloudComputating or Faking Dragon).
The victimology patterns – particularly the focus on telecommunications companies – and technical malware implementation had yielded evidence suggesting likely connections between Lotus Panda and BackdoorDiplomacy, raising the possibility that either the two clusters are one and the same, or that they are obtaining their tools from a common vendor.
In one incident detected by the company, Naikon is said to have targeted a telecom firm in Kazakhstan, a country that shares its borders with Uzbekistan, which has been previously singled out by BackdoorDiplomacy. What’s more, both hacking crews have been found to zero in on South Asian countries.
The attack chains essentially involve abusing a legitimate executable associated with Mobile Popup Application to sideload a malicious DLL that’s then used to decrypt and launch PlugX, RainyDay, and Turian payloads in memory. Recent attack waves orchestrated by the threat actor have heavily leaned on PlugX, which uses the same configuration structure as RainyDay and includes an embedded keylogger plugin.
“While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects – such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor,” Talos said. “These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign.”
Mustang Panda’s Bookworm Malware Detailed
The disclosure comes as Palo Alto Networks Unit 42 shed light on the inner workings of the Bookworm malware used by the Mustang Panda actor since 2015 to gain extensive control over compromised systems. The advanced RAT comes fitted with capabilities to execute arbitrary commands, upload/download files, exfiltrate data, and establish persistent access.
Earlier this March, the cybersecurity vendor said it identified attacks targeting countries affiliated with the Association of Southeast Asian Nations (ASEAN) to distribute the malware.
Bookworm utilizes legitimate-looking domains or compromised infrastructure for C2 purposes so as to blend in with normal network traffic. Select variants of the malware have also been found to share overlaps with TONESHELL, a known backdoor associated with Mustang Panda since late 2022.
Like PlugX and TONESHELL, attack chains distributing Bookworm rely on DLL side-loading for payload execution, although newer variants have embraced a technique that involves packaging shellcode as universally unique identifier (UUID) strings, which are then decoded and executed.
“Bookworm is known for its unique modular architecture, allowing its core functionality to be expanded by loading additional modules directly from its command-and-control (C2) server,” Unit 42 researcher Kyle Wilhoit said. “This modularity makes static analysis more challenging, as the Leader module relies on other DLLs to provide specific functionality.”
“This deployment and adaptation of Bookworm, running in parallel with other Stately Taurus operations, showcases its long-term role in the actor’s arsenal. It also points to a sustained, long-term commitment to its development and use by the group.”
