Lab52 analyzes a new variant of PlugX used in a campaign that targets Taiwanese government entities and diplomats, with ties to the SmugX operation and threat actors Red Delta and Mustang Panda. The campaign uses an MSI installer containing OneNotem.exe, a Nim-written DLL and a DAT file, decrypts with a custom RC4, and establishes persistence and C2 communications to evade detection. #PlugX #SmugX #RedDelta #MustangPanda #Taiwan #TerryGou #LaiPeixia
Keypoints
- Analysis identifies a new PlugX variant embedded in an MSI package alongside OneNotem.exe, msi.dll, and NoteLogger.dat.
- The malicious DLL is Nim-written and loaded via DLL side-loading from the legitimate MSI-loaded process.
- The malware uses a custom RC4 decryption to load a PlugX payload from NoteLogger.dat, instead of relying on standard Windows libraries.
- Persistence is achieved by adding a Run key to execute OneNotem.exe with a numeric parameter on startup.
- The OneNotem.exe process first checks connectivity (www.google.com) and then contacts C2 domains ivibers[.]com and meetvibersapi[.]com.
- The campaign appears tailored to diplomats and government figures in Taiwan, leveraging a decoy PDF about the Taiwanese presidential election.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – The legitimate executable loads via DLL side-loading the malicious DLL and the malicious DLL decrypts and loads the DAT file into memory, which is the PlugX malware. “…the legitimate executable loads via DLL side-loading the malicious DLL and the malicious DLL decrypts and loads the DAT file into memory, which is the PlugX malware.”
- [T1140] Deobfuscate/Decode Files or Information – The malware will decrypt the configuration using the RC4 algorithm, which is located in the “.data” section, similar to other samples from the SmugX campaign. “…decrypt the configuration using the RC4 algorithm, which is located in the “.data” section, similar to other samples from the SmugX campaign.”
- [T1547.001] Registry Run Keys/Startup Folder – To obtain persistence, the registry key “HKEY_LOCAL_MACHINE/ SOFTWARE/ SOFTWARE/ Microsoft/ Windows/ CurrentVersion/ RunOneNote Update” is added, which executes the legitimate OneNotem.exe binary followed by a numeric parameter. “…the registry key ‘HKEY_LOCAL_MACHINE/ SOFTWARE/ SOFTWARE/ Microsoft/ Windows/ CurrentVersion/ RunOneNote Update’ is added, which executes the legitimate OnesNotem.exe binary followed by a numeric parameter.”
- [T1071.001] Web Protocols – The malware contacts C2 domains ivibers[.]com and meetvibersapi[.]com after initial checks, indicating exfiltration/command and control over web protocols. “…contacts the C2 domains ivibers[.]com and meetvibersapi[.]com.”
Indicators of Compromise
- [Domain] – www.google.com (connectivity check used by malware)
- [Domain] – ivibers[.]com – C2 domain
- [Domain] – meetvibersapi[.]com – C2 domain
- [File] – 45dd12.msi, msi.dll, NoteLogger.dat, OneNotem.exe – artifacts inside the MSI installer
- [File] -郭台銘選擇賴佩霞為總統副手深層考量.pdf – decoy lure document
- [Hash] – c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1, 651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859 – sample digests associated with MSI components and payloads, and 3 more hashes