ASEC reports the PlugX backdoor being installed through Sunlogin and AweSun remote control software via their remote code execution vulnerabilities, using a multi-stage dropper and DLL side-loading to decrypt and load PlugX in memory. The campaign links to China-based threat actors and demonstrates capabilities such as UAC bypass, plugin modules, and multiple C2 addresses, with several IoCs and download URLs identified. #PlugX #Sunlogin #AweSun #SliverC2 #XMRig #Gh0stRAT #ParadiseRansomware #MustangPanda #Winnti #APT3 #APT41
Keypoints
- PlugX is a long-standing backdoor used by China-based APT groups (Mustang Panda, Winnti, APT3, APT41) with ongoing variants.
- PlugX employs DLL side-loading to load its loader from the same directory as a legitimate program, helping it avoid detection.
- The malware is delivered as a dropper with esetservice.exe, http_dll.dll, and lang.dat, which decrypts and loads PlugX in memory.
- Attackers exploited Sunlogin and AweSun RCE vulnerabilities to install PlugX, with PowerShell indicating the dropper activity (esetservice.exe).
- Multi-stage execution includes UAC bypass, process injection via WMI, and plugin activation with modes identified as 100/200/201/209, among others.
- C2 and download infrastructure includes multiple URLs (api.imango[.]ink and cdn.imango[.]ink) and four C2 addresses; plugins add keylogging, clipboard theft, RDP propagation, and more.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used Sunlogin and AweSun remote code execution vulnerabilities to install PlugX. ‘Sunlogin’s remote code execution vulnerability … is still being used for attacks even now ever since its exploit code was disclosed.’
- [T1574.002] DLL Side-loading – Loader DLL is loaded by esetservice.exe from the same directory to start the malicious routine. ‘classic DLL side-loading method, and PlugX is most known for using this method.’
- [T1047] Windows Management Instrumentation – WMI Win32_Process is used to create a new process and continue execution. ‘the create method of WMI’s Win32_Process class to give the argument “100” and execute itself again’
- [T1548.002] By-pass User Account Control – UAC bypass via ICMLuaUtil to run with admin privileges. ‘abusing the ICMLuaUtil interface to bypass UAC and run the process with admin privileges.’
- [T1055] Process Injection – Injection steps into RunOnce.exe and subsequent processes to progress the infection. ‘injection process’ and subsequent injections described
- [T1071.001] Web Protocols – C2 communications over HTTP/HTTPS to four addresses (cdn.imango[.]ink and api.imango[.]ink). ‘C&C addresses’ decrypted/configured in lang.dat
- [T1115] Clipboard Data – Plugins steal clipboard information (ClipLog). ‘Clipboard information’ in plugin table
- [T1021.001] Remote Services – RDP propagation via shared RDP folder (RDP plugin). ‘RDP propagation’ in Table 3
- [T1070.004] File Deletion – Auto-delete mode used to remove traces. ‘Auto-delete’ in executable modes table
Indicators of Compromise
- [MD5] File hashes – 709303e2cf9511139fbb950538bac769, d1a06b95c1d7ceaa4dc4c8b85367d673, d973223b0329118de57055177d78817b
- [URL] Download URLs – hxxp://api.imango[.]ink:8089/http_dll.dll, hxxp://api.imango[.]ink:8089/esetservice.exe
- [URL] C2 URLs – cdn.imango[.]ink:443, api.imango[.]ink:443, api.imango[.]ink:53, cdn.imango[.]ink:53
- [File name] Files central to infection – esetservice.exe, http_dll.dll, lang.dat
Read more: https://asec.ahnlab.com/en/49097/