14 DAY TRIAL // PKPLUG, a Chinese group responsible for cyber espionage campaigns mostly in Southeast Asia, used Microsoft Exchange Server vulnerabilities to deploy a previously undisclosed type of RAT, says The Hacker News.
The initial activity of the new malware strain was detected in March 2021. Palo Alto Networks' Unit 42 cybersecurity team stated that a new version of the PlugX malware known as Thor was delivered as a post-exploitation tool to one of the compromised systems.
PlugX is a second phase implant employed by the Chinese cyber spy organization PKPLUG, also known as Mustang Panda. The new version stands out because it includes a patch to its primary source code, replacing the trademarked word PLUG with the word THOR.
This is the first time when something like this has happened in the world of hacking. The oldest THOR example was discovered in August 2019 and it is the first known occurrence of rebranded code. The strain exhibited a number of innovative features, including improved payload delivery tactics and the misuse of trusted binaries.
The Chinese cyberespionage organization introduced new inventive features to their malware
Plug-in-style malware development has been used in a number of high-profile attacks over the years.Due to its flexibility, it has been used in various high-profile attacks, including the significant U.S. State Department Office for Personnel Management (OPM) breach in 2015.
Security specialists came to the conclusion that the PlugX malware family remains a threat today, despite the fact that it has been in operation for 13 years. The malware developers were able to include unique innovations into this new strain, resulting in a more effective tool for performing cyberespionage attacks in comparison to the previous strains.
To counter effects and damages, Unit 42 released a Python script capable of decrypting PlugX payloads, even in situations when the loaders are not available.