{"id":2463,"date":"2023-12-11T13:32:02","date_gmt":"2023-12-11T12:32:02","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2463"},"modified":"2024-10-16T13:37:04","modified_gmt":"2024-10-16T11:37:04","slug":"mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats\/","title":{"rendered":"Mustang Panda&#8217;s PlugX new variant targetting Taiwanese government and diplomats"},"content":{"rendered":"\n<p>The Lab52 team has analysed a cyber campaign in which attackers deploy a <strong>new variant<\/strong> of the <strong>PlugX<\/strong> malware. Both the infection chain and the various artefacts used in the cyberattack share <strong>multiple similarities<\/strong> with the <strong><a href=\"https:\/\/research.checkpoint.com\/2023\/chinese-threat-actors-targeting-europe-in-smugx-campaign\/\">SmugX<\/a><\/strong> campaign, attributed to threat actors <strong>Red Delta<\/strong> and <strong>Mustang Panda<\/strong>, allegedly linked to the Chinese government. <\/p>\n\n\n\n<p>This time, the actors deploy an MSI file on victim machines containing a legitimate executable (<strong>OneNotem.exe<\/strong>), a malicious DLL (<strong>msi.dll<\/strong>) and a DAT file (<strong>NoteLogger.dat<\/strong>). The legitimate executable loads via DLL side-loading the malicious DLL and the malicious DLL decrypts and loads the DAT file into memory, which is the PlugX malware. However, this new campaign shows variations compared to previous campaigns. The <strong>main differences<\/strong> are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The malicious <strong>DLL<\/strong> is <strong>written in the Nim<\/strong> programming language.<\/li><li>This new variant uses its <strong>own implementation of the RC4 algorithm<\/strong> to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"302\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Image20231211133055.jpg\" alt=\"\" class=\"wp-image-2464\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Image20231211133055.jpg 567w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Image20231211133055-300x160.jpg 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Killchain<\/strong><\/h1>\n\n\n\n<p>The installer file <strong>45dd12.msi<\/strong> contains the files <strong>msi.dll<\/strong>, <strong>NoteLogger.dat<\/strong> and <strong>OneNotem.exe<\/strong> and, on user execution, it copies them to the directory &#8220;<strong>C:\\UsersersuserAppData<\/strong>&#8220;.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"417\" height=\"190\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen2.jpg\" alt=\"\" class=\"wp-image-2468\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen2.jpg 417w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen2-300x137.jpg 300w\" sizes=\"(max-width: 417px) 100vw, 417px\" \/><\/figure><\/div>\n\n\n\n<p>Right after, the MSI file copies OneNotem.exe to one of the following folders:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>C:\\Users\\&lt;username&gt;\\VirtualFile<\/strong><\/li><li><strong>C:\\Users\\Public\\VirtualFile<\/strong><\/li><li><strong>C:\\Users\\&lt;username&gt;\\SamsungDriver<\/strong><\/li><li><strong>C:\\Users\\Public\\SamsungDriver<\/strong><\/li><li><strong>C:\\Users\\Public\\SecurityScan<\/strong><\/li><\/ul>\n\n\n\n<p>In order to obtain persistence on the infected machine, the registry key &#8220;<strong>HKEY_LOCAL_MACHINE\/ SOFTWARE\/ SOFTWARE\/ Microsoft\/ Windows\/ CurrentVersion\/ RunOneNote Update<\/strong>&#8221; is added, which executes the legitimate <strong>OnesNotem.exe<\/strong> binary followed by a numeric parameter.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"146\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen3.jpg\" alt=\"\" class=\"wp-image-2469\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen3.jpg 566w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen3-300x77.jpg 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><\/figure><\/div>\n\n\n\n<p>The malware then creates the process <strong>OneNotem.exe<\/strong> that will first contact with <em>www.google.com<\/em> to check if the computer has internet connection and then contacts the <strong>C2 domains<\/strong> <em>ivibers[.]com<\/em> and <em>meetvibersapi[.]com<\/em>. The <strong>OneNotem.exe<\/strong> process also creates a mutex to prevent the execution of a second instance.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"281\" height=\"180\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen4-1.jpg\" alt=\"\" class=\"wp-image-2478\"\/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"282\" height=\"180\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen5-1.jpg\" alt=\"\" class=\"wp-image-2479\"\/><\/figure><\/div>\n\n\n\n<p>Moving forward, Lab52\u2019s team has analysed each of the various artefacts contained in the MSI file to discern their specific roles or purposes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>MSI.DLL<\/strong><\/h2>\n\n\n\n<p>This DLL contains two malicious functions, the <strong>NimMain<\/strong> function and the <strong>MsiProvideQualifiedComponentW<\/strong> function.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-atomic-blocks-ab-container ab-block-container\"><div class=\"ab-container-inside\"><div class=\"ab-container-content\"><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"141\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen6.jpg\" alt=\"\" class=\"wp-image-2472\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen6.jpg 526w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen6-300x80.jpg 300w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><\/figure><\/div>\n\n\n\n<p>The <strong>DllMain<\/strong> function has been modified to add the call to <strong>NimMain<\/strong> which will be executed when the library is loaded by the <strong>OneNotem.exe<\/strong> process.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"79\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen7.jpg\" alt=\"\" class=\"wp-image-2474\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen7.jpg 567w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen7-300x42.jpg 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/figure><\/div>\n\n\n\n<p>This will load the functions necessary for the execution of the malware. This technique is used to reduce the number of exported functions to make the analysis and possible detection of the malicious library more difficult.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"256\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen8.jpg\" alt=\"\" class=\"wp-image-2475\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen8.jpg 520w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen8-300x148.jpg 300w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/figure><\/div>\n\n\n\n<p>When the legitimate executable calls the <strong>MsiProvideQualifiedComponentW<\/strong> function it will load the <strong>NoteLogger.dat<\/strong> file with the <strong>CreateFileW<\/strong> function.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"432\" height=\"121\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen9.jpg\" alt=\"\" class=\"wp-image-2476\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen9.jpg 432w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen9-300x84.jpg 300w\" sizes=\"(max-width: 432px) 100vw, 432px\" \/><\/figure><\/div>\n\n\n\n<p>The malware will then copy the contents to a memory section and use the <strong>RC4<\/strong> algorithm and the key <strong>EtFOWV4hDJf6DA6W<\/strong> to decrypt a DLL contained in the <strong>NoteLogger.dat<\/strong> file, which is a <strong>PlugX malware variant<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"507\" height=\"135\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen10.jpg\" alt=\"\" class=\"wp-image-2477\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen10.jpg 507w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen10-300x80.jpg 300w\" sizes=\"(max-width: 507px) 100vw, 507px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"427\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen11.jpg\" alt=\"\" class=\"wp-image-2480\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen11.jpg 567w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen11-300x226.jpg 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/figure><\/div>\n\n\n\n<p>Finally, the DLL will be executed at location 0x00 in the memory page where it resides using the <strong>EnumSystemGeoID<\/strong> callback.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"460\" height=\"113\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen12.jpg\" alt=\"\" class=\"wp-image-2481\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen12.jpg 460w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen12-300x74.jpg 300w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>NoteLogger.dat<\/strong><\/h1>\n\n\n\n<p>This file contains an encrypted malicious DLL, a PlugX variant, containing in <strong>position 0x00<\/strong> a small <strong>shellcode<\/strong> that will call the only function it exports. The <strong>execution of this shellcode is indispensable<\/strong> for a correct execution of the malicious DLL.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"352\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen13.jpg\" alt=\"\" class=\"wp-image-2482\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen13.jpg 567w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen13-300x186.jpg 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/figure><\/div>\n\n\n\n<p>The malware will decrypt the configuration, which is located in the \u201c<strong>.data<\/strong>\u201d section, similar to other samples from the SmugX campaign.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"312\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen14.jpg\" alt=\"\" class=\"wp-image-2483\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen14.jpg 567w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen14-300x165.jpg 300w\" sizes=\"(max-width: 567px) 100vw, 567px\" \/><\/figure><\/div>\n\n\n\n<p>The following is the decipher configuration.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"158\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen15.jpg\" alt=\"\" class=\"wp-image-2484\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen15.jpg 520w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/Imagen15-300x91.jpg 300w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/figure><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"str_one\": \"\",\n    \"str_two\": \" 2txQe5PD\",\n    \"campaign_id\": \"tw\",\n    \"document_name\": \"\u90ed\u53f0\u9298\u9078\u64c7\u8cf4\u4f69\u971e\u70ba\u7e3d\u7d71\u526f\u624b\u6df1\u5c64\u8003\u91cf.pdf\",\n    \"ips\": &#91;\n        {\n            \"ip\": \" ivibers.com\",\n                  \"port\": 443,\n                  \"is_https\": 1\n        },\n        {\n            \"ip\": \" ivibers.com\",\n                  \"port\": 443,\n                  \"is_https\": 1\n        },\n        {\n            \"ip\": \" meetvibersapi.com \",\n                  \"port\": 443,\n                  \"is_https\": 1\n        }\n    ]\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Decoy PDF<\/strong><\/h1>\n\n\n\n<p>The name and content of the lure used by the attackers seem to indicate that <strong>the targets of this campaign are no different from those seen so far in the SmugX campaign<\/strong> (diplomats and government entities). The lure uses the upcoming <strong>Taiwanese presidential election in January 2024<\/strong> to capture the interest of its victims. The document refers to Terry Gou&#8217;s announcement in September this year declaring his independent candidacy for Taiwan&#8217;s presidential election, with Lai Peixia as his right-hand man.<\/p>\n\n\n\n<p>Terry Gou &#8211; who was founder and CEO of the Taiwanese multinational electronic components company -one of the largest suppliers to the United States, Europe and Japan and part of the semiconductor manufacturing cluster along with TSMC, or MediaTek- is running to bring down the current Taiwanese government, to reduce geopolitical tension and to stabilise the situation.<\/p>\n\n\n\n<p>Lai Peixia is a singer, activist and politician with dual US-Taiwanese citizenship known for defending human rights. It seems that the attackers have used a decoy that addresses an event of high interest to political, diplomatic and governmental figures in Taiwan, as the presentation of the presidential candidacy of Terry Gou and Lai Peixia, that is particularly relevant because of the links these two political figures have with the Western bloc, the effect that their figure as president could have on Taiwan&#8217;s trade relations with China, the United States, Europe and Japan and their impact on the technology race in both blocs.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/wiii.jpg\" alt=\"\" class=\"wp-image-2488\" width=\"747\" height=\"925\"\/><figcaption><em>Decoy PDF: Kuo&#8217;s in-depth considerations for choosing Lai Peixia as presidential VP.pdf<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Indicators of Compromise<\/strong><\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1<\/td><\/tr><tr><td>651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859<\/td><\/tr><tr><td>908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8<\/td><\/tr><tr><td>c6ef220d0c6e9015bdfb7977ff15e7f2c4c0dbfcd3b28ffb3066fe6d21251322<\/td><\/tr><tr><td>8af3fc1f8bd13519d78ee83af43daaa8c5e2c3f184c09f5c41941e0c6f68f0f7<\/td><\/tr><tr><td>45dd12.msi<\/td><\/tr><tr><td>msi.dll<\/td><\/tr><tr><td>NoteLogger.dat<\/td><\/tr><tr><td>\u90ed\u53f0\u9298\u9078\u64c7\u8cf4\u4f69\u971e\u70ba\u7e3d\u7d71\u526f\u624b\u6df1\u5c64\u8003\u91cf.pdf<\/td><\/tr><tr><td>ivibers[.]com<\/td><\/tr><tr><td>meetvibersapi[.]com<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The Lab52 team has analysed a cyber campaign in which attackers deploy a new variant of the PlugX malware. Both the infection chain and the various artefacts used in the cyberattack share multiple similarities with the SmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese government. This time, [&hellip;]<\/p>\n","protected":false},"author":28,"featured_media":2492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,16],"tags":[63,71,72],"class_list":{"0":"post-2463","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-ttp","9":"tag-mustangpanda","10":"tag-plugx","11":"tag-smugx","12":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/mustang2-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/12\/mustang2-600x600.png","author_info":{"display_name":"3722304989","author_link":"https:\/\/lab52.io\/blog\/author\/3722304989\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2463"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2463"}],"version-history":[{"count":4,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2463\/revisions"}],"predecessor-version":[{"id":2783,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2463\/revisions\/2783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2492"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}