Posted on Leave a comment

Hackers Implanting Plugx Malware During Exchange Server Attacks.

Researchers from Unit42, a PaloAltonetwork’s team, identified a new Plugx variant being delivered to the compromised Exchange Server after the exploitation of vulnerabilities like CVE-2021-26855 and CVE-2021-27065.

Plugx is a second stage implant which was used by chinese threat actor group named “PKPLUG” or Mustang Panda from the 2008 timeline for launching various high profile attacks including U.S Government Office of Personnel Management(OPM) in 2015.

“Upon successful exploitation, a webshell was uploaded to a publicly accessible web directory, allowing code execution at the highest privilege level” stated in the blog post.

Researchers observed that the threat actors were using Microsoft’s trusted binaries to bypass antivirus scanners, a technique known to be “Living off the land“. “In this case, the Microsoft Windows binary bitsadmin.exe was used to download an innocuous file named Aro.dat (SHA256: 59BA902871E98934C054649CA582E2A017079 98ACC78B2570FEF43DBD10F7B6F) from an actor-controlled GitHub repo to the target.” reads the blog post.

PlugX payload disguised as a Aro.dat file is remained to be undetected by employing encryption and compression techniques to stay under the radar. Additionally, the malware seems to achieve the code execution privilege by execution a technique known as “DLL side loading”

Experts identified that the file Aro.dat file contains interesting string names such as aross.dll, aro.exe and aro.dat. Among these files, aro.exe is a part of advanced repair and optimization tool named ARO 2012 , a free tool which claims to fix windows registry error has seen an association with the PlugX loader.

Luckily, Unit42 team has released a Python Script which can decrypt and unpack the encrypted PlugX malware and yields following list of files as the programs output:

  1. Decrypted and decompressed PlugX module (DLL). Adds an MZ header to the file as the MZ header is not present in the in-memory module. It only applies to encrypted payloads that have the random byte header (THOR payloads).
  2. Hardcoded PlugX configuration file (C2 information), if supported.

Cyberworkx news reader can get the IOC’s of this malware here.

Source: Paloaltonetworks.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply