Chinese hackers infect systems with new RAT through vulnerabilities in Microsoft Exchange

A Chinese cybercriminal group, known for its attacks on the countries of Southeast Asia, exploits the ProxyLogon vulnerabilities in Microsoft Exchange Server to infect systems under attack with a previously unknown Remote Access Trojan (RAT).

A division of Unit 42 of the information security company Palo Alto Networks attributed the attacks to the PKPLUG cybercriminal group (other names Mustang Panda and HoneyMyte). Experts have identified a new variant of PlugX modular malware called Thor, which was delivered to one of the compromised servers as a post-exploitation tool.

The PlugX Trojan, which first appeared in 2008, is a full-fledged implant that is deployed in the second stage of cyberattacks. The malware has the functions of downloading and modifying files, keylogging, controlling a web camera and accessing a remote command shell.

According to experts, the PLUG trademark has been replaced by THOR in the source code of the new variant of the Trojan. The file containing the encrypted and compressed PlugX payload links to a freely available Advanced Repair and Optimization tool designed to clean up and fix problems in the Windows Registry.

The new PlugX variant is equipped with many different plugins that allow attackers to monitor, install updates, and interact with compromised systems.

Additional Indicators of Compromise related to PlugX attacks are available here. Unit 42 experts have also released a Python script to decrypt and unzip the encrypted PlugX payload without having any associated PlugX loaders.

Previous Post Next Post