PlugX and Bookworm Malware from China Targeting Asian Telecom and ASEAN Networks
“China is targeting Asian Telecom and ASEAN Networks via PlugX and Bookworm Malware.”
An ongoing operation spreading a new version of a known malware named PlugX (also known as Korplug or SOGU) has targeted the manufacturing and telecommunications sectors in Central and South Asian nations.
Joey Chen & Takahiro Takeda, Talos Researchers, Cisco
| “The XOR-RC4-RtlDecompressBuffer method used to encrypt/decrypt payloads, the RC4 keys used, and the misuse of the same legitimate applications for DLL side-loading are some of the elements of the new variation that overlap with both the RainyDay and Turian backdoors.” |
The cybersecurity firm pointed out that the PlugX variant’s configuration differs greatly from the standard PlugX configuration format, instead using the same structure as RainyDay, a backdoor connected to the Lotus Panda (also known as Naikon APT) threat actor, which is associated with China.
Additionally, Kaspersky probably tracks it as FoundCore and attributes it to a threat organization it calls Cycldek that speaks Chinese. Many hacker groups with ties to China utilize PlugX, a modular remote access trojan (RAT), but Mustang Panda (also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon) is the most well-known user.
However, Turian (also known as Quarian or Whitebird) is considered a backdoor that is only used in cyberattacks on the Middle East by BackdoorDiplomacy, another Chinese-affiliated advanced persistent threat (APT) group (also known as CloudComputating or Faking Dragon).
The focus on telecom companies and the use of technical malware were among the victimology patterns that produced evidence of probable connections between Lotus Panda and BackdoorDiplomacy. This suggests that the two clusters may be the same or that they are using the same vendor for their tools.
According to one event the organization discovered, Naikon targeted a telecom operator in Kazakhstan, which borders Uzbekistan and has been targeted by BackdoorDiplomacy in the past. Furthermore, it has been discovered that both hacker teams target South Asian nations.
Basically, the attack chains leverage a genuine executable linked to a Mobile Popup Application to sideload a malicious DLL, which is then used to run the PlugX, RainyDay, and Turian payloads in memory after they have been decrypted.
PlugX, which has the same configuration structure as RainyDay and has an integrated keylogger plugin, has been a major component of recent attack waves that the threat actor has coordinated.
Talos
| “There are many common characteristics, including target selection, encryption/decryption payload techniques, encryption key reuse, and the usage of tools supplied by the same vendor, even though we cannot establish that there is a direct connection between Naikon and BackdoorDiplomacy.”
“These commonalities point to a Chinese-speaking actor in this advertisement with a medium level of confidence.” |
Details about Mustang Panda’s Bookworm Malware
As Palo Alto Networks Unit 42 reveals the inner workings of the Bookworm malware, which has been utilized by the Mustang Panda actor since 2015 to obtain considerable control over compromised systems, the disclosure takes place.
The sophisticated RAT has the ability to upload and download files, run arbitrary instructions, exfiltrate data, and create persistent access. The cybersecurity provider reported earlier in March that it had discovered malware distribution efforts aimed at nations connected to the Association of Southeast Asian Nations (ASEAN).
Bookworm blends in with regular network traffic by using compromised infrastructure or domains that appear authentic for C2 purposes. Certain malware variations have also been discovered to have similarities with TONESHELL, a backdoor that has been linked to Mustang Pana since late 2022.
Attack chains that distribute Bookworm, like PlugX and TONESHELL, use DLL side-loading to execute their payloads, but more recent versions have adopted a method that packages shellcode as universally unique identifier (UUID) strings, which are subsequently decoded and run.
Kyle Wilhoit, Researcher, Unit 42
| “Bookworm’s distinctive modular architecture enables the expansion of its core capabilities through the direct loading of additional modules from its command-and-control (C2) server.” “Static analysis is made more difficult by this modularity, since the Leader module depends on other DLLs to supply certain functionality.”
“Bookworm’s long-term position in the actor’s toolbox is demonstrated by this deployment and adaptation, which took place concurrently with other Stately Taurus actions. It also indicates a consistent, long-term dedication to the group’s use and advancement of it.” |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
About Author
English