Telecommunications and manufacturing sectors in Central and South Asian countries have become the focus of an ongoing campaign distributing a new variant of the known malware PlugX (also known as Korplug or SOGU).
“The new variant’s characteristics coincide with both the RainyDay and Turian backdoors, utilizing the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm for encrypting/decrypting payloads, and the RC4 keys,” stated Cisco Talos researchers Joey Chen and Takahiro Takeda in a recent analysis.
Cisco Talos noted that the configuration linked with this PlugX variant differs significantly from the typical PlugX configuration format, instead adopting the structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (also known as Naikon APT). This variant is likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group referred to as Cycldek.
PlugX is a modular remote access trojan (RAT) commonly used by various China-aligned hacking groups, notably by Mustang Panda (also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon).
Turian (also known as Quarian or Whitebird) is considered a backdoor exclusively utilized in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with Chinese ties known as BackdoorDiplomacy (also known as CloudComputating or Faking Dragon).
The victimology patterns, especially the emphasis on telecommunications companies, and the technical implementation of malware have provided evidence suggesting potential connections between Lotus Panda and BackdoorDiplomacy, hinting at the possibility that these two groups are either the same or are sourcing their tools from a common provider.
The attack chains involve exploiting a legitimate executable linked to Mobile Popup Application to load a malicious DLL, which is then used to decrypt and launch PlugX, RainyDay, and Turian payloads in memory. Recent attacks orchestrated by the threat actor have heavily relied on PlugX, which shares the same configuration structure as RainyDay and includes an embedded keylogger plugin.
“While we cannot definitively establish a connection between Naikon and BackdoorDiplomacy, there are significant commonalities – such as target selection, payload encryption/decryption methods, key reuse, and tool usage from the same source,” stated Talos. “These similarities suggest a moderate confidence link to a Chinese-speaking actor in this campaign.”
Mustang Panda’s Bookworm Malware Revealed
This disclosure coincides with Palo Alto Networks Unit 42 shedding light on the inner workings of the Bookworm malware utilized by the Mustang Panda actor since 2015 to gain extensive control over compromised systems. This advanced RAT comes equipped with capabilities to run arbitrary commands, transfer files, extract data, and establish persistent access.
Earlier this year, the cybersecurity vendor identified attacks targeting countries associated with the Association of Southeast Asian Nations (ASEAN) to distribute the malware.
Bookworm utilizes legitimate-looking domains or compromised infrastructure for C2 purposes to blend in with normal network traffic. Certain variants of the malware also share similarities with TONESHELL, a backdoor associated with Mustang Panda since late 2022.
Similar to PlugX and TONESHELL, attack chains distributing Bookworm leverage DLL side-loading for payload execution, although newer variants have embraced a technique involving packaging shellcode as universally unique identifier (UUID) strings, which are then decoded and executed.
“Bookworm is recognized for its unique modular architecture, enabling its core functionality to be expanded by loading additional modules directly from its command-and-control (C2) server,” stated Unit 42 researcher Kyle Wilhoit. “This modularity makes static analysis more challenging, as the Leader module relies on other DLLs to provide specific functionality.”
“The deployment and adaptation of Bookworm, running alongside other Stately Taurus operations, demonstrate its enduring role in the actor’s arsenal. It also indicates a sustained, long-term commitment to its development and utilization by the group.”
