Mustang Panda的新武器：高级PlugX变种DOPLUGS

The threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

威胁行为者Mustang Panda使用名为DOPLUGS的PlugX（又名Korplug）变种针对亚洲各国进行了攻击。

"The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter," Trend Micro researchers Sunny Lu and Pierre Lee said in a new technical write-up.

趋势微观研究人员Sunny Lu和Pierre Lee在一份新的技术报告中表示，这种定制的PlugX恶意软件与包含一个完整后门命令模块的一般PlugX恶意软件不同，前者仅用于下载后者。

Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia.

DOPLUGS的目标主要位于台湾和越南，较小程度上还包括香港、印度、日本、马来西亚、蒙古。

PlugX is a staple tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It's known to be active since at least 2012, although it first came to light in 2017.

PlugX是Mustang Panda的重要工具，该组织也被称为BASIN、Bronze President、Camaro Dragon、Earth Preta、HoneyMyte、RedDelta、Red Lich、Stately Taurus、TA416和TEMP.Hex。尽管该组织最早于2017年曝光，但已知其至少自2012年以来一直活跃。

The threat actor's tradecraft entails carrying out well-forged spear-phishing campaigns that are designed to deploy custom malware. It also has a track record of deploying its own customized PlugX variants such as RedDelta, Thor, Hodur, and DOPLUGS (distributed via a campaign named SmugX) since 2018.

威胁行为者的技艺包括进行精心制作的钓鱼活动，旨在部署定制恶意软件。它还部署了自己的定制PlugX变种，如RedDelta、Thor、Hodur和DOPLUGS（通过名为SmugX的活动进行分发）自2018年以来。

Compromise chains leverage a set of distinct tactics, using phishing messages as a conduit to deliver a first-stage payload that, while displaying a decoy document to the recipient, covertly unpacks a legitimate, signed executable that's vulnerable to DLL side-loading in order to side-load a dynamic-link library (DLL), which, in turn, decrypts and executes PlugX.

妥协链利用一系列独特策略，使用钓鱼消息作为传递第一阶段有效负载的通道，同时向收件人显示一个诱饵文档，隐蔽地解压一个易受DLL侧加载漏洞影响的合法签名可执行文件，以侧加载动态链接库（DLL），进而解密和执行PlugX。

The PlugX malware subsequently retrieves Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a Mustang Panda-controlled server.

PlugX恶意软件随后检索Poison Ivy远程访问特洛伊木马（RAT）或Cobalt Strike Beacon，以与Mustang Panda控制的服务器建立连接。

In December 2023, Lab52 uncovered a Mustang Panda campaign targeting Taiwanese political, diplomatic, and governmental entities with DOPLUGS, but with a notable difference.

2023年12月，Lab52揭露了一场针对台湾政治、外交和政府实体的Mustang Panda活动，使用DOPLUGS，但存在明显差异。

"The malicious DLL is written in the Nim programming language," Lab52 said. "This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library."

Lab52表示：“恶意DLL是用Nim编程语言编写的。这种新变种使用自己的RC4算法实现解密PlugX，而不像之前版本那样使用Windows Cryptsp.dll库。”

DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is orchestrated to download the general type of the PlugX malware.

Trend Micro称，DOPLUGS最早于2022年9月由Secureworks记录，是一个带有四个后门命令的下载器，其中一个被设计用于下载一般类型的PlugX恶意软件。

Trend Micro said it also identified DOPLUGS samples integrated with a module known as KillSomeOne, a plugin that's responsible for malware distribution, information collection, and document theft via USB drives.

趋势微观还表示，他们还发现了与一个名为KillSomeOne的模块集成的DOPLUGS样本，这个插件负责通过USB驱动器进行恶意软件分发、信息收集和文档窃取。

This variant comes fitted with an extra launcher component that executes the legitimate executable to perform DLL-sideloading, in addition to supporting functionality to run commands and download the next-stage malware from an actor-controlled server.

这个变种还配备了一个额外的启动器组件，用于执行合法可执行文件以执行DLL侧加载，另外还支持运行命令并从操纵服务器下载下一阶段的恶意软件的功能。

It's worth noting that a customized PlugX variant, including the KillSomeOne module designed for spreading via USB, was uncovered as early as January 2020 by Avira as part of attacks directed against Hong Kong and Vietnam.

值得注意的是，早在2020年1月，Avira曾揭示了一种定制的PlugX变种，包括专为通过USB传播而设计的KillSomeOne模块，作为针对香港和越南的攻击的一部分。

"This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionalities and features," the researchers said. "The group remains highly active, particularly in Europe and Asia."

研究人员表示：“这表明Earth Preta一直在不断完善其工具，不断添加新的功能和特性。该组织仍然保持高度活跃，尤其是在欧洲和亚洲。”

原文始发于微信公众号（知机安全）：Mustang Panda的新武器：高级PlugX变种DOPLUGS