Select Page

A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan (RAT) on compromised systems.

Attributing the intrusions to a threat actor named PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks’ Unit 42 threat intelligence team said it identified a new version of the modular PlugX malware, called Thor, that was delivered as a post-exploitation tool to one of the breached servers.

Dating back to as early as 2008, PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell.

“The variant observed […] is unique in that it contains a change to its core source code: the replacement of its trademark word ‘PLUG’ to ‘THOR,'” Unit 42 researchers Mike Harbison and Alex Hinchliffe noted in a technical write-up published Tuesday.

“The earliest THOR sample uncovered was from August 2019, and it is the earliest known instance of the rebranded code. New features were observed in this variant, including enhanced payload-delivery mechanisms and abuse of trusted binaries.”

images from Hacker News