U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

A China-linked cyberespionage group, tracked as PKPLUG, employed a previously undocumented strain of a RAT dubbed THOR in recent attacks. A China-linked cyberespionage group tracked as PKPLUG (aka Mustang Panda and HoneyMyte), which is known for targeting Southeast Asia, exploited vulnerabilities in the Microsoft Exchange Server to deploy a previously undocumented variant of PlugX  on compromised systems. Researchers […]

thor RAT

A China-linked cyberespionage group, tracked as PKPLUG, employed a previously undocumented strain of a RAT dubbed THOR in recent attacks.

A China-linked cyberespionage group tracked as PKPLUG (aka Mustang Panda and HoneyMyte), which is known for targeting Southeast Asia, exploited vulnerabilities in the Microsoft Exchange Server to deploy a previously undocumented variant of PlugX  on compromised systems.

Researchers from Palo Alto Networks Unit 42 team tracked the new version of the PlugX malware as Thor, they reported that the RAT was used as a post-exploitation tool deployed on one of the compromised servers.

The new variant spotted by Palo Alto researchers includes a change to its core source code, vxers replaced its trademark word “PLUG” to “THOR.” The earliest THOR sample that was spotted by the experts is dated back to August 2019. The Thor variant also implements new features such as an enhanced mechanism to deliver malicious payloads.

Experts also detected several samples that were associated with the PlugX command and control (C2) infrastructure. 

PKPLUG used a technique known as “living off the land” to bypass antivirus detection and target Microsoft Exchange servers. In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors.

The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

“Aro.dat is designed to remain undetected and cannot run without the aid of a specific loader. As with previous PlugX variants, code execution is achieved via a technique known as DLL side loading. Static analysis reveals that once loaded into memory, Aro.dat begins to unpack itself and initiates communication with a C2 server. Aro.dat is, in fact, an encrypted and compressed PlugX payload.” reads the analysis. “The decryption routine within Aro.dat closely resembles that of older PlugX variants (see Figure 3 below) in that it involves multiple decryption keys and bit shift operations. Once decrypted, it gets decompressed via the Windows API RtlDecompressBuffer into a Windows module (DLL). The compression algorithm is LZ compression (COMPRESSION_FORMAT_LZNT1).”

The Aro.dat file includes the following string names: aross.dll, aro.exe and aro.dat.

Aro.exe is likely part of the “ARO 2012 advanced repair and optimization tool,” which is a freely available tool that claims to fix Windows registry errors. The executable is digitally signed, past investigations linked it to the PlugX loader and dynamically loads Aross.dll. 

thor RAT

One of the most recent samples of PlugX includes a variety of plug-ins that could allow the code to implements various capabilities, such as monitor, updating and interacting with the compromised system.

The report published by Palo Alto Networks also includes indicators of compromise associated with the attacks investigated by the Unit 42 team. The company also published a Python script to decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking,Thor RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]