New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
February 22, 2024
China-linked APT group Mustang Panda targeted various Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.
Trend Micro researchers uncovered a cyberespionage campaign, carried out by China-linked APT group Mustang Panda, targeting Asian countries, including Taiwan, Vietnam, and Malaysia.
Mustang Panda has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.
In the recent campaign, threat actors used a customized PlugX malware that includes a completed backdoor command module, the researchers named it DOPLUGS.
“This kind of customized PlugX malware has been active since 2022, with related research being published by Secureworks, Recorded Future, Check Point, and Lab52. During analysis, we observed that the piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter.” reads the report published by Trend Micro. “Due to its different functionality, we decided to give this piece of customized PlugX malware a new name: DOPLUGS.”
The malware analysis revealed the use of the KillSomeOne module that supports USB worm capability. KillSomeOne was first disclosed by a Sophos report in November 2020.
Threat actors conducted spear-phishing attacks, using files related to current events as bait, such as the Taiwanese presidential election that took place in January 2024.
The spear-phishing emails sent by the threat actors include a Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware.
DOPLUGS acts as a downloader and supports four backdoor commands. One of the commands allows the malware to download a generic version of the PlugX malware.
The DOPLUGS samples included the KillSomeOne module and used a launcher component that executes the legitimate executable to perform DLL-sideloading. The launcher also downloads the next-stage malware from a remote server.
“Earth Preta has primarily focused on targeting government entities worldwide, particularly within the Asia-Pacific region and Europe.” concludes the report. “Based on our observations, we believe Earth Preta tends to use spear-phishing emails and Google Drive links in its attacks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Earth Preta)