After the recent USB support for air-gapped systems and debugging-related updates, threat actors are now distributing this malware by exploiting vulnerabilities in commercial remote control software made in China.
PlugX exploiting new flaws
AhnLab researchers observed some unknown threat actors deploying PlugX by exploiting known vulnerabilities in remote desktop solutions.
- Attackers target an RCE vulnerability in Oray’s Sunlogin, tracked as (CNVD-2022-10270 / CNVD-2022-03672). In the past, this has been leveraged by several other threats, including the Sliver backdoor, Gh0st RAT, and XMRig coinminer.
- In addition, criminals leverage an RCE vulnerability in Aweray’s Awesun, which is said to be similar to the Sunlogin bug.
- In both attacks, the same Sliver C2 address was used during the vulnerability exploitation, indicating that both attacks are possibly carried out by the same adversary.
Post-exploitation activities
After successful exploitation of the vulnerability, a PowerShell command is executed that creates an executable file esetservice[.]exe.
- Esetservice[.]exe is a genuine HTTP Server Service program developed by the cybersecurity firm ESET. This program is vulnerable to DLL side-loading, which is being exploited by attackers.
- Attackers further download a malicious version of the genuine DLL http_dll[.]dll, which gets loaded during execution.
- This DLL acts as a loader, and eventually loads the PlugX malware.
Threat actors use it to get complete control over the infected system and perform further malicious activities such as keylogging, taking screenshots, and downloading additional malware.
Last week, Trend Micro reported a new variant of PlugX RAT masquerading as Windows debugger tool x32dbg deploy more malicious payloads.
Concluding notes
A large number of Chinese attackers, including Shadowpad, Mustang Panda, and TA416 have been actively using PlugX and its variants to abuse vulnerabilities in target devices. To prevent such threats, organizations are suggested to regularly review and update their security posture, and keep all the software updated.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/af3b_shutterstock_783541222.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5310_shutterstock_1916985977.jpg)
