""The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT)."
"PlugX is a modular remote access trojan (RAT) widely used by many China-aligned hacking groups, but most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon). Turian (aka Quarian or Whitebird), on the other hand, is assessed to be a backdoor exclusively employed in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with ties to China referred to as BackdoorDiplomacy (aka CloudComputating or Faking Dragon)."
"The victimology patterns - particularly the focus on telecommunications companies - and technical malware implementation had yielded evidence suggesting likely connections between Lotus Panda and BackdoorDiplomacy, raising the possibility that either the two clusters are one and the same, or that they are obtaining their tools from a common vendor."
A new PlugX (aka Korplug or SOGU) variant is being distributed against telecommunications and manufacturing organizations in Central and South Asia. Cisco Talos identified feature overlap with RainyDay and Turian backdoors, including abuse of legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm for payload encryption/decryption, and reuse of RC4 keys. The variant's configuration diverges from typical PlugX formats and instead adopts the RainyDay structure associated with Lotus Panda (aka Naikon APT). PlugX is a modular RAT used by multiple China-aligned groups, while Turian is tied to BackdoorDiplomacy targeting the Middle East. Victimology and technical overlaps suggest connections or shared tooling between Lotus Panda and BackdoorDiplomacy.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]