Cisco Talos identified a multi-year campaign (since 2022) targeting telecommunications and manufacturing organizations in Central and South Asia that delivered a new variant of PlugX which shares significant code, keys, and execution techniques with RainyDay and Turian. The overlaps in configuration format, RC4 keys, XOR-RC4-RtlDecompressBuffer payload handling, and DLL sideloading lead Talos to assess with medium confidence that the campaign is attributable to Naikon and suggest a potential connection or shared tooling with BackdoorDiplomacy. #PlugX #RainyDay #Turian #Naikon #BackdoorDiplomacy
Keypoints
- Cisco Talos discovered a campaign active since 2022 targeting telecom and manufacturing sectors in Central and South Asia delivering a new PlugX variant.
- The new PlugX variant uses a RainyDay-style configuration format and shares decryption/encryption algorithms and RC4 keys with RainyDay and Turian loaders.
- All three malware families abuse the same legitimate applications for DLL search order hijacking and load encrypted shellcode from a local “Initial” directory.
- The loaders employ an XOR decryption stage followed by RC4 decryption and LZNT1 (RtlDecompressBuffer) decompression to unpack DLLs in memory.
- Shared RC4 keys and similar loader/shellcode structures, plus overlapping victimology, suggest a medium-confidence attribution to Naikon and potential linkage with BackdoorDiplomacy or a shared vendor.
- Talos found PDB paths and timestamps linking older RainyDay samples back to at least 2016 and loader compile timestamps as early as 2018, indicating long-term development and use.
- The PlugX variant escalates privileges (SeDebugPrivilege, SeTcbPrivilege), hides strings with modified TEA, includes keylogger, plugin management, and communicates with C2 over HTTPS using PlugX-like protocol components (VTCP).
MITRE Techniques
- [T1055 ] Process Injection – Loaders decrypt shellcode and unpack payloads into memory then inject code into the calling process or spawn/inject into legitimate processes (e.g., wabmig.exe or explorer.exe) for execution. Quote: ‘…read encrypted shellcode files … decrypt the data to execute their respective malware.’
- [T1218 ] Signed Binary Proxy Execution (DLL Search Order Hijacking) – Malware abuses legitimate applications to DLL sideload and execute malicious loaders. Quote: ‘…abusing the same legitimate Mobile Popup Application as RainyDay to load themselves into memory.’
- [T1140 ] Deobfuscate/Decode Files or Information – Loaders perform XOR and RC4 decryption followed by LZNT1 decompression (RtlDecompressBuffer) to obtain runnable code. Quote: ‘…encrypted and compressed using RC4 and LZNT1… decompressed and decrypted, ultimately providing code to be executed in memory.’
- [T1036 ] Masquerading – PlugX variant hides malicious service within services.exe and uses legitimate-sounding DLL names and installers to blend with normal software. Quote: ‘…hide its malicious service within the services.exe process.’
- [T1134 ] Access Token Manipulation (Privilege Escalation) – The PlugX variant acquires SeDebugPrivilege and SeTcbPrivilege to elevate process privileges. Quote: ‘…escalates its privileges by acquiring SeDebugPrivilege and SeTcbPrivilege.’
- [T1112 ] Modify Registry – Configuration includes registry key paths and the malware uses configuration data for persistence and environment-specific settings. Quote: ‘…configuration holds critical details like the C2 server address, folder name, service description, mutex, registry key path…’
- [T1005 ] Data from Local System – Keylogger plug-in collects keystroke data and writes log files to disk, evidencing data collection on compromised hosts. Quote: ‘…embedded a keylogger plug-in in all analyzed PlugX backdoor payloads… log files discovered on VirusTotal…’
- [T1090 ] Proxy / Tunneling (ICMP/Custom C2) – PDB strings reference ‘icmpsh-master’, indicating potential use or modification of ICMP shell techniques for covert C2. Quote: ‘…icmpsh-master… likely referring to ICMP Shell (icmpsh)…’
Indicators of Compromise
- [File name ] Loader/shellcode filenames observed in Initial directory – rdmin.src (RainyDay), Mcsitesdvisor.afx (PlugX), winslivation.dat (Turian).
- [RC4 key ] Shared decryption keys used across families – “8f-2;g=3/c?1wf+c92rv.a”, “jfntv`1-m0vt801tyvqaf_)U89chasv”.
- [PDB paths ] Build artifacts revealing project and compile info – C:vc_codeNo.33-2hao3-2hao-211221…, C:UsersadminDesktop…MicrosoftEdgeUpdate.exeshellcode_xor…, C:UsersQsDesktopWorkspace1qazbincore.pdb.
- [Dropped files / log paths ] Keylogger and drop locations – modified keylogger filenames and drop paths matching PlugX configuration (examples noted in analysis; timestamps show logs from 2022 to 2024).
- [Malware name / detection ] Antivirus detections – Win.Loader.RainyDay-10045411-0 (ClamAV) and various samples indexed on VirusTotal and other repositories (and 2 more hashes referenced in Talos GitHub).