Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun have been exploited by attackers to deploy PlugX malware.
The AhnLab Security Emergency Response Center (ASEC) says new analysis shows the flaw continues to be exploited to deliver various payloads to compromised systems.
This includes the Sliver post-exploit framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list.
This modular malware is widely used by China-based actors and is continuously adding new features to help it perform system control and information theft.
In attacks observed by ASEC, after successful exploitation of vulnerabilities, PowerShell commands are executed to retrieve executable and DLL files from a remote server.
This executable, a legitimate HTTP server service from cybersecurity firm ESET, is used to load DLL files and ultimately execute PlugX payloads in memory via a technique called DLL sideloading.
“PlugX operators use a wide variety of trusted binaries that are vulnerable to DLL sideloading, including a number of antivirus executables,” noted Security Joes in their September 2022 report. “This has proven effective in infecting victims.”
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This backdoor is also capable of starting arbitrary services, downloading and executing files from external sources, and dropping plugins that can collect and propagate data using Remote Desktop Protocol (RDP). It’s worth noting.
“Added new features [PlugX] ASEC said: “Once his PlugX backdoor is installed, the attacker gains control over the infected system without the user’s knowledge.”
