430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS

China-linked APT group Mustang Panda targeted various Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS. Trend Micro researchers uncovered a cyberespionage campaign, carried out by China-linked APT group Mustang Panda, targeting Asian countries, including Taiwan, Vietnam, and Malaysia. Mustang Panda has been active since at least 2012, it targeted American and European entities such […]

Mustang Panda

China-linked APT group Mustang Panda targeted various Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

Trend Micro researchers uncovered a cyberespionage campaign, carried out by China-linked APT group Mustang Panda, targeting Asian countries, including Taiwan, Vietnam, and Malaysia.

Mustang Panda has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.

In the recent campaign, threat actors used a customized PlugX malware that includes a completed backdoor command module, the researchers named it DOPLUGS.

“This kind of customized PlugX malware has been active since 2022, with related research being published by SecureworksRecorded FutureCheck Point, and Lab52. During analysis, we observed that the piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter.” reads the report published by Trend Micro. “Due to its different functionality, we decided to give this piece of customized PlugX malware a new name: DOPLUGS.”

The malware analysis revealed the use of the KillSomeOne module that supports USB worm capability. KillSomeOne was first disclosed by a Sophos report in November 2020.

Threat actors conducted spear-phishing attacks, using files related to current events as bait, such as the Taiwanese presidential election that took place in January 2024.

The spear-phishing emails sent by the threat actors include a Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware.

Mustang Panda

DOPLUGS acts as a downloader and supports four backdoor commands. One of the commands allows the malware to download a generic version of the PlugX malware.

Mustang Panda DOPLUGS

The DOPLUGS samples included the KillSomeOne module and used a launcher component that executes the legitimate executable to perform DLL-sideloading. The launcher also downloads the next-stage malware from a remote server.

Earth Preta has primarily focused on targeting government entities worldwide, particularly within the Asia-Pacific region and Europe.” concludes the report. “Based on our observations, we believe Earth Preta tends to use spear-phishing emails and Google Drive links in its attacks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Earth Preta)