The telecommunications and manufacturing giants in Central and South Asian countries were suspected as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).
"The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.
The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.
PlugX is a modular remote access trojan (RAT) widely used by many China-aligned hacking groups, but most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon).
Turian (aka Quarian or Whitebird), on the other hand, is assessed to be a backdoor exclusively employed in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with ties to China referred to as BackdoorDiplomacy (aka CloudComputating or Faking Dragon).
The victimology patterns – particularly the focus on telecommunications companies – and technical malware implementation had yielded evidence suggesting likely connections between Lotus Panda and BackdoorDiplomacy, raising the possibility that either the two clusters are one and the same, or that they are obtaining their tools from a common vendor.
In one incident detected by the company, Naikon is said to have targeted a telecom firm in Kazakhstan, a country that shares its borders with Uzbekistan, which has been previously singled out by BackdoorDiplomacy. What's more, both hacking crews have been found to zero in on South Asian countries.
"While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects – such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor," Cisco Talos said in ther statement. "These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign."
The disclosure comes as Palo Alto Networks Unit 42 shed light on the inner workings of the Bookworm malware used by the Mustang Panda actor since 2015 to gain extensive control over compromised systems. The advanced RAT comes fitted with capabilities to execute arbitrary commands, upload/download files, exfiltrate data, and establish persistent access.
Earlier this March, the cybersecurity vendor said it identified attacks targeting countries affiliated with the Association of Southeast Asian Nations (ASEAN) to distribute the malware.
No comments:
Post a Comment