Chinese cyberspies used a new PlugX variant, dubbed THOR, in attacks against MS Exchange Servers

A China-linked cyberespionage group, tracked as PKPLUG, employed a previously undocumented strain of a RAT dubbed THOR in recent attacks.

A China-linked cyberespionage group tracked as PKPLUG (aka Mustang Panda and HoneyMyte), which is known for targeting Southeast Asia, exploited vulnerabilities in the Microsoft Exchange Server to deploy a previously undocumented variant of PlugX  on compromised systems.

Researchers from Palo Alto Networks Unit 42 team tracked the new version of the PlugX malware as Thor, they reported that the RAT was used as a post-exploitation tool deployed on one of the compromised servers.

The new variant spotted by Palo Alto researchers includes a change to its core source code, vxers replaced its trademark word “PLUG” to “THOR.” The earliest THOR sample that was spotted by the experts is dated back to August 2019. The Thor variant also implements new features such as an enhanced mechanism to deliver malicious payloads.

Experts also detected several samples that were associated with the PlugX command and control (C2) infrastructure. 

PKPLUG used a technique known as “living off the land” to bypass antivirus detection and target Microsoft Exchange servers. In the attacks investigated by Palo Alto Networks, the APT group leveraged legitimate executables such as BITSAdmin to download an innocuous file named Aro.dat from a GitHub repository under the control of the threat actors.

The analysis of the file revealed that it includes the encrypted and compressed PlugX payload.

“Aro.dat is designed to remain undetected and cannot run without the aid of a specific loader. As with previous PlugX variants, code execution is achieved via a technique known as DLL side loading. Static analysis reveals that once loaded into memory, Aro.dat begins to unpack itself and initiates communication with a C2 server. Aro.dat is, in fact, an encrypted and compressed PlugX payload.” reads the analysis. “The decryption routine within Aro.dat closely resembles that of older PlugX variants (see Figure 3 below) in that it involves multiple decryption keys and bit shift operations. Once decrypted, it gets decompressed via the Windows API RtlDecompressBuffer into a Windows module (DLL). The compression algorithm is LZ compression (COMPRESSION_FORMAT_LZNT1).”

The Aro.dat file includes the following string names: aross.dll, aro.exe and aro.dat.

Aro.exe is likely part of the “ARO 2012 advanced repair and optimization tool,” which is a freely available tool that claims to fix Windows registry errors. The executable is digitally signed, past investigations linked it to the PlugX loader and dynamically loads Aross.dll. 

One of the most recent samples of PlugX includes a variety of plug-ins that could allow the code to implements various capabilities, such as monitor, updating and interacting with the compromised system.

The report published by Palo Alto Networks also includes indicators of compromise associated with the attacks investigated by the Unit 42 team. The company also published a Python script to decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking,Thor RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]