Researchers from PaloAlto Unit 42 uncovered a previously unseen variant as a remote access tool that was delivered at the post-exploitation phase during the Microsoft Exchange server attack that has taken place on March 2021.
The RAT variant is known as PlugX was initially discovered on 2008 when it was a second stage variant, also it is evolving with sophisticated functionalities used by the Chinese cyberespionage group PKPLUG aka Mustang Panda.
PlugX variant has changed its core source code, and the new features of the variant were observed that include the enhanced payload-delivery mechanisms and abuse of trusted binaries.
Along with the variant, several more samples we collected that has been associated PlugX command and control (C2) infrastructure.
Back in 2019, it changed the trademark word “PLUG” to “THOR, also in this current research encountered that, PlugX-encrypted payloads have a different encoding scheme and file header.
How Does PlugX is Being Delivered
A critical Microsoft exchange server vulnerabilities were brutally exploited on March 2021 around the globe by taking advantage of 2 chains of zero-days (CVE-2021-26855 and CVE-2021-27065), and it was known as ProxyLogon.
Successfully exploitation of this vulnerability let hackers inject and arbitrary code into the vulnerable Microsoft exchange server to upload the web shell with the highest privileges.
Attackers were misused the Microsoft Windows binary bitsadmin.exe to download a malicious file named Aro.dat from the GitHub repository that was controlled by the attackers.
According to the Unit, 42 research “the first one thousand bytes of Aro.dat indicate the file might be encrypted or possibly compressed. As it turns out, this data is nothing but random padding data likely added as a file header to evade AV signatures to thwart detection.”
Attackers have developed the Aro.dat to remain undetected, and it never makes a move with the help of a specific loader, also once loaded into memory, Aro.dat begins to unpack itself and initiates communication with a C2 server. Researchers said.
Further analysis revealed that Aro.dat is actually an encrypted and compressed PlugX payload, and Once decrypted, it gets decompressed via the Windows API RtlDecompressBuffer into a Windows module (DLL).
“PlugX modules, such as Aro.dat, include hardcoded configuration information allowing for multiple C2 addresses. This provides fallback options for the backdoor in case some remote services are unavailable at the time of compromise”
Unit 42 researchers also developed a Python script that can decrypt and unpack encrypted PlugX payloads and the tool is hosted on Unit 42’s public tools GitHub repository.
