In the past few months, CYE has engaged in investigations at three separate companies across the globe after being alerted to suspicious network activity.
Due to the fact that these companies were not from a technological sector with no technological secrets to steal and the fact the attacker did not cause any damage to these networks or data, we assess that the attack was financially based.
Our investigation of this suspicious activity has concluded that a malicious actor has infiltrated and gained domain privileges on the companies' networks while spreading a new unknown customized version of PlugX RAT (Remote Access Trojan) malware. PlugX has been in use for a few years now and has been used by Chinese APT groups for cyber espionage campaigns and is well known in the cyber community.
In general, it possesses full system control capabilities like keylogging, screen capture, modifying, executing, deleting files, exfiltration of data, etc. In this version, the attacker used the “pe2shellcode” to build the PlugX executable to load itself in the memory, and like other versions, it uses a legitimate signed executable to side-load the malicious dll.
Unlike other PlugX attacks reported lately, The C2 domain used by the attacker was almost identical to a legitimate domain name used by company customers. We assess that this was done in order to “legitimize” the communication with the C2 and not to raise suspicion of security personnel. We also assess that given the specific conduct with these companies and customers' domain, this attack was very specifically targeted and not just a part of a spray attack. Shortly after we started our investigation, the attacker took down his C2 servers, indicating he was very aware of the systems he compromised.
Often, this malware is used after the attacker has breached the network and conducted an internal discovery using network scanning tools.
Our investigation found the attacker used a new self-made port scanner tool written in RUST language. We suspect using RUST language was meant to evade detection by defense systems.
The systems and logs we analyzed have made it clear that the attacker had an extensive foothold in environments he infiltrated. His movement was seen in various parts of the networks we have investigated, and it is clear to us that the backdoors we found were meant to allow him to return at any time.
To our assessment, this is the work of a Chinese APT (probably either APT10 or APT41 or APT27) attacker with extensive knowledge and resources. Although the PlugX malware variants are caught in the wild every now and again it does not deter him or make him change his MO or develop new tools from scratch. He continues to make small modifications to his tools and keeps evading defense tools. This type of attack is yet another example of the trend to use Legitimate possesses in the organization to execute attacks.
What We Found - PlugX - log.dll file
The attacker uses the legitimate signed executable file “bdservicehost.exe” to sideload his malicious log.dll file into the process of the signed executable, instead of the non-malicious log.dll file that the legitimate executable is expecting. After it is loaded to the process, the main functionality of the malicious log.dll file is to extract its encrypted shellcode payload from the bitmap resource section of the dll and save it as “syscfg.dat” at the same folder location from where the executable file was run. In the second stage, the encrypted data from the saved “syscfg.dat” file is decrypted. The decrypted data obtained is a pe2shellcode code that eventually decrypt and extracts the PlugX executable into the running process memory.
The third stage is to execute the PlugX from the process memory via a new thread. When The PlugX thread starts to run it is trying to communicate in WebDAV protocol probably to download more tools or payloads from the domain https://dav.jianguoyun[.]com/dav/. This domain name is hardcoded in the PlugX sample together with the username and the password, where the username is “12121jhksdf” and the password is “121121212”.
The PlugX code then creates the folder “spptools” in the c:\ProgramData folder and file by name “smcache.dat” that contains its C2 domain name and the protocol type for communication. The PlugX malware creates a customized keep-alive packet and tries to communicate with its C2 server. The customized packet contains base64 encoded data at the cookie field. This encoded data contains information about the infected computer: computer name, OS version, architecture type, username, and machine type (Virtual machine or not). The other unique fields of the packet are the Magic-Code field with the value “hhjjdfgh” and the user-agent, these values are hardcoded in the PlugX code.
The malicious log.dll file was compiled on July 16th ,2021, and was not recognized in the wild until we submitted it to Virus Total. Microsoft flagged this file as “Trojan” on windows defender on February 14th, 2022. In a search we did on the internet to find similar file samples, we came across a file with a lot of similarities to the malicious log.dll sample.
This file was first seen in Virus Total on August 13th, 2020, almost a year before the compilation of the malicious log.dll sample that we investigated, we can assume that the malicious log.dll file is a new updated version from the sample that we found on the internet.
IOCs
What We Found: PortScan – runtimescan.exe file
In the investigation, we found that the attacker used a tool he developed in the RUST language. The tool was compiled on June 13th, 2020 - a year before the PlugX malware sample compilation time. The main functionality of this tool is to do efficient port scanning on multiple IP addresses by working in multithread mode. This tool accepts two command-line arguments: target IP addresses and port numbers to scan.
The IP addresses and the ports can be provided as a range or individually. The RUST executable contains the libraries names from which it was compiled. There we found two important findings – a unique username account “ttttkkkk” that the attacker used while compiling this tool, and Chinese domain name of a mirror code repository “mirrors.tuna.Tsinghua.edu[.]cn”. This domain contains open-source code mirror repositories, some of them for the RUST language. This file was not recognized in the wild until we submitted it to VirusTotal. Currently, none of the AV vendors flagged this tool as malicious.