Rewterz Threat Alert – Mustang Panda Uses Advanced PlugX Variant DOPLUGS to Target Asian Countries – Active IOCs

Severity

High

Analysis Summary

Mustang Panda, a China-attributed threat group, has been observed targeting multiple Asian countries with a new variant of the PlugX (aka Korplug) backdoor named DOPLUGS. The primary targets of DOPLUGS are located in Vietnam and Taiwan, and to some extent, India, Hong Kong, Malaysia, Mongolia, Japan, and even China.

This customized variant of PlugX malware is very different from the usual type of PlugX malware that contains a full backdoor command module, and the former is used to download the latter. PlugX is one of the main tools used by Mustang Panda, an advanced persistent threat (APT) group that has been active since 2012. The threat actor is known for conducting sophisticated spear-phishing campaigns made to propagate a variety of custom malware, such as customized PlugX variants, Thor, RedDelta, Hodur, and DOPLUGS.

“The spear-phishing emails sent to victims are embedded with a Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware,” said the researchers.

The attack chains use several different tactics, like using phishing messages as a conduit to deploy the first-stage payload while showing a decoy document to the unsuspecting user. The payload unpacks a legitimate, signed executable vulnerable to DLL side-loading. The side-loaded dynamic-link library (DLL) then decrypts and executes PlugX. The PlugX malware fetches the Poison Ivy RAT or Cobalt Strike Beacon to connect with a Mustang Panda-controlled server.

DOPLUGS, first discovered in September 2022, is a download that comes with four backdoor commands. One of these commands is designed to download the normal variant of the PlugX malware. Researchers also identified DOPLUGS samples integrated with a module called KillSomeOne, which is a plugin made to distribute malware, collect information, and document theft using USB drives.

The variant comes with an extra launcher component that executes the legitimate file to do DLL-sideloading, in addition to supporting functionality for running commands and downloading the next-stage malware from a command-and-control (C2) server. A customized PlugX variant that contains the KillSomeOne module and is designed to propagate through a USB was discovered in January 2020 as part of the cyberattacks against Vietnam and Hong Kong. The campaign shows that Mustang Panda has been continuously refining its tools by adding new functionalities and features. The APT group remains very active, especially in Asia and Europe.

Impact

• Cyber Espionage
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• ivibers.com
• meetviberapi.com
• thisistestc2.com
• mongolianshipregistrar.com

MD5

• e79180380997a855c8d19be02d035b7f
• 8a4b6fca9beb5255377dea2230a31522
• 5f39a964af306f40536aa6ac57b66758
• 011478f93a06a229d2a2a65320571f5f
• ae61eb61cdb471e520b979e4207fa64d
• e084e155b6ab2f911b7785c2f92ff7df
• 8bfdc4b402a192c99e549922d6c094a5
• 0d174de5b3bfadffbb9194af147f2e81

SHA-256

• c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
• 25967270d67253c72532a7e0416eb27ff249bc17dc1d7cded0148f8f4b932789
• 651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859
• f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5
• 0df7e56610adad2ed5adfdfab07faedc08a61d9f944a5448aa62e071cffc28c4
• 95205b92d597489b33854e70d86f16d46201803a1a9cb5379c0d6b7c0784dbc7
• 8615cc8487833522ffd014c0f0661b3d1bed7a4cb51138b1ee172173002192be
• b6e88396594070a92cbf1c313858392b052703944162de64ce3ad494996bd177

SHA-1

• 8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e
• fd321409b50fe0ddf55782f9d8d2484c5718630b
• b84a5a5837e8aa5e5c8181f4589f9ad490acb55f
• c7e9c45b18c8ab355f1c07879cce5a3e58620dd7
• 77a8a8e5bce61dfaf2298e1573e16b209f54374f
• 7db861dabbb1df04a15b9619601eaf334b435e97
• 61b49214a6317e12022d1628c934a2845037112c
• 64d134431e2c16e23bfa5bc629c9f21ab1a3a93b

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement ongoing phishing awareness training for partners and staff.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions promptly. Using multilayered protection.