Eset researchers have discovered an ongoing campaign using a previously undiscovered version of the Korplug malware. Korplug was previously seen in a campaign targeting Australian government departments and businesses in the middle of 2020. Korplug, also going by PlugX, Thor, and the latest variant by Hodur is a remote access trojan (RAT) capable of granting remote access to infected machines and executing commands. Ultimately the functionality of the RAT is dependent on the requirements of the threat actor has changed from Korplug variant to variant.
Given that the last discovered variant was Thor, Eset’s researchers kept the Norse mythology naming convention intact, naming the new variant Hodur, Thor’s half-blind brother. Tragically Hodur is manipulated by Loki into their half-brother Baldr.
Researchers noted that at the date of their articles’ publication detailing the new variant the campaign was still ongoing with the primary targets of the campaign being internet service providers (ISP) and European diplomatic missions in Mongolia, Vietnam, Myanmar, Greece, Russia, Cyprus, South Sudan, and South Africa.
Victims are lured with phishing documents abusing the latest events in Europe such as Russia’s invasion of Ukraine. One of the filenames, for example, was named “Situation at the EU borders with Ukraine.exe”.
Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council. The last one is a real document available on the European Council’s website. This shows that the threat actors, likely a state-sponsored APT group, are closely monitoring current affairs to lead believable phishing campaigns.
In terms of attributing the campaign to a specific group, Eset researchers believe that,
“Based on code similarities and the many commonalities in Tactics, Techniques, and Procedures (TTPs), ESET researchers attribute this campaign with high confidence to Mustang Panda (also known as TA416, RedDelta, or PKPLUG). It is a cyberespionage group mainly targeting governmental entities and NGOs. Its victims are mostly, but not exclusively, located in East and Southeast Asia with a focus on Mongolia. The group is also known for its campaign targeting the Vatican in 2020.”
As to why a known Chinese state-sponsored group would attack organizations affiliated with the Catholic Church, Recorded Future notes,
“For many years, Chinese state-sponsored groups have targeted religious minorities within the PRC, particularly those within the so-called “Five Poisons,” such as Tibetan, Falun Gong, and Uighur Muslim communities. Insikt Group has publicly reported on aspects of this activity, such as our findings on RedAlpha [a group known to work with Mustang Panda], the ext4 backdoor, and Scanbox watering hole campaigns targeting the Central Tibetan Administration, other Tibetan entities, and the Turkistan Islamic Party. Most recently, a July 2020 U.S. indictment identified the targeting of emails belonging to Chinese Christian religious figures — a Xi’an-based pastor, as well as an underground church pastor in Chengdu, the latter of whom was later arrested by the PRC government, by two contractors allegedly operating on behalf of the Chinese Ministry of State Security (MSS). Regional branches of China’s Ministry of Public Security (MPS) have also been heavily involved in digital surveillance of ethnic and religious minorities within the PRC, most notably by the Xinjiang Public Security Bureau (XPSB) in the case of Uighur Muslims.”
There are several other indicators that Mustang Panda is behind the campaign including that the campaign seems to have the same targeting objectives as other Mustang Panda campaigns.
Proving this point the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in the other affected countries. Past campaigns also seemed intently focused on these regions only including a few African or European targets.
It is not only targets that are shared between campaigns but the group’s toolset. Campaigns conducted by the Mustang Panda frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and Korplug.
Further, the group is known to use its own custom variants of Korplug with the group flexing their shared abilities by including anti-analysis techniques and control-flow obfuscation at every stage of the infection chain.
Hodur does share an awful lot of similarities with the previous Korplug variants but it is within the RAT module that the more interesting differences exist. These differences rest mainly with the commands used by RAT. For example, when the RAT module is initiated it will begin by searching for an active command and control server through a list provided by the malware.
Once an active server is found the malware will attempt an HTTP or TCP handshake. If successful all other communication between the victim’s machine and the command and control server will be done via TCP.
Eset’s article detailing their discovery includes three tables of commands used by Hodur which make for interesting reading as to Hodur’s capabilities. Some of the malware’s more fundamental capabilities include:
- Ping – start listening for commands
- GetSystemInfo – gather and send system information
- ListenThread – start a new thread that listens for commands for the second handler
- ResetConnection – reset connection to C2
- Uninstall – delete added registry keys, remove all malware components and delete the created folders
- Stop – disable registry key and exit
The commands listed above are handled by the first handler. The malware’s second handler listens for a completely different set of commands that concern the RAT’s functionality and are thus more advanced than the first set, which is used for basic reconnaissance.
The list of this second group is extensive, but some indicative examples are commands to list drives and directories, read and write files, execute commands on a hidden desktop, and start an interactive remote cmd.exe session.
In concluding Eset researchers stated,
“The decoys used in this campaign show once more how quickly Mustang Panda is able to react to world events. For example, an EU regulation on COVID-19 was used as a decoy only two weeks after it came out, and documents about the war in Ukraine started being used in the days following the beginning of the launch of the invasion. This group also demonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug.”