Security News > 2021 > August > Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers

A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan on compromised systems.

Attributing the intrusions to a threat actor named PKPLUG, Palo Alto Networks' Unit 42 threat intelligence team said it identified a new version of the modular PlugX malware, called Thor, that was delivered as a post-exploitation tool to one of the breached servers.

Dating back to as early as 2008, PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell.

After Microsoft disclosed on March 2 that China-based hackers - codenamed Hafnium - were exploiting zero-day bugs in Exchange server collectively known as ProxyLogon to steal sensitive data from select targets, multiple threat actors, such as ransomware groups and crypto-mining gangs, were also observed exploiting the flaws to hijack Exchange servers and install a web shell that granted code execution at the highest privilege level.

The latest sample of PlugX comes equipped with a variety of plug-ins that "Provide attackers various capabilities to monitor, update and interact with the compromised system to fulfil their objectives," the researchers said.

Unit 42 has also made available a Python script that can decrypt and unpack encrypted PlugX payloads without having the associated PlugX loaders.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/QCubZykCI5I/chinese-hackers-implant-plugx-variant.html