The China-linked criminal actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (also known as Korplug) backdoor called DOPLUGS.
“Custom PlugX malware is different from the general type of PlugX malware that contains a complete backdoor command module and the former is only used to download the latter,” Trend Micro researchers Sunny Lu and Pierre Lee said in a new editorial technique.
DOPLUGS targets have been located primarily in Taiwan and Vietnam and, to a lesser extent, in Hong Kong, India, Japan, Malaysia, Mongolia and even China.
PlugX is a core tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It has been known to be active since at least 2012, although it first came to light in 2017.
The threat actor’s business prowess involves crafting well-crafted spear-phishing campaigns designed to deliver customized malware. He also has a proven track record of deploying his own custom PlugX variants such as RedDelta, Thor, Hodur, and DOPLUGS (delivered via a campaign called SmugX) since 2018.
Compromise chains leverage a number of distinct tactics, using phishing messages as a conduit to deliver a first-stage payload that, while displaying a decoy document to the recipient, secretly decompresses a legitimate, signed executable that is vulnerable to DLL sideloading in order to to sideload a dynamic link library (DLL), which, in turn, decrypts and executes PlugX.
The PlugX malware then retrieves the Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a server controlled by Mustang Panda.
In December 2023, Lab52 discovered a Mustang Panda campaign targeting Taiwanese political, diplomatic, and government entities with DOPLUGS, but with one notable difference.
“The malicious DLL is written in the Nim programming language,” Lab52 said. “This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions which use the Windows library Cryptsp.dll.”
DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is orchestrated to download the general type of PlugX malware.
Trend Micro said it also identified DOPLUGS samples embedded with a module known as KillSomeOne, a plugin responsible for distributing malware, gathering information, and stealing documents via USB drives.
This variant comes with an additional startup component that runs the legitimate executable to sideload DLLs, as well as supports functionality to execute commands and download next-stage malware from an actor-controlled server.
It is worth noting that back in January 2020, Avira discovered a custom PlugX variant, including the KillSomeOne module designed for delivery via USB, as part of attacks targeting Hong Kong and Vietnam.
“This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionality and features,” the researchers said. “The group remains very active, especially in Europe and Asia.”