A China-linked threat actor was observed attacking Russian speakers using an up-to-date version of the remote access trojan PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
“The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations,” the cybersecurity firm said in a report shared with The Hacker News. “This desire for situational awareness often extends to collecting intelligence from allies and ‘friends. ‘”
Bronze President has been active at least since July 2018, and has a history in conducting espionage activities by using custom and publicly-available tools to compromise, keep long-term access and gather data from target of interest.
Chief is one of its tools. It uses PlugX as a Windows backdoor to allow threat actors execute various commands on infected system. This has been used by many Chinese state-sponsored actors throughout the years.
This month’s latest Secureworks findings suggest that there has been an extension to the campaign described by Proofpoint, ESET and ESET. This new version of PlugX, codenamed Hodur was used. It is so named because it overlaps with another version, THOR, that appeared on the scene last July 2021..
The attack chain begins with the malicious executable “Blagoveshchensk- Blagoveshchensk Border Detachment.exe”, which masquerades in a legitimate PDF document and opens to a URL that leads to the installation of an encrypted PlugX Payload from remote servers.
“Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment,” the researchers said. This suggests that officials and military personnel are familiar with this filename. “
The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.
“Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the [People’s Republic of China],” the researchers said.
The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.
“PlugX has been associated with various Chinese actors in recent years,” Trellix noted last month. This raises questions about whether the malware code base may be shared between different Chinese state-backed organizations. “
“On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors,” the cybersecurity company added.
