Threat actors linked to China have refined two strains of malware – PlugX and Bookworm – to slip past defenses in Asia’s telecom and manufacturing sectors.
At the heart of this story is an updated malware campaign which is striking telecom and manufacturing firms in Central and South Asia. The attackers are using updated versions of PlugX and a malware family called Bookworm to take control of victims’ systems remotely. What makes this attack particularly dangerous is the manner in which the malware is deeply hidden. Often hidden deep in the system’s memory, the malware also piggybacks onto legitimate software to keep itself under the radar.
The Mechanics of a Stealth Attack
PlugX is a well-known remote access tool (RAT), often used by hacking groups affiliated with Chinese threat actors. What’s unique about PlugX is that it’s integrating features from other backdoor malware such as RainyDay and Turian to strengthen their stealthy nature. Meanwhile, Bookworm – commonly deployed by the Mustang Panda hacking group – is being updated with numerous plugins to help cover its tracks.
The attackers take advantage of a genuine app called Mobile Popup to trick the targeted system into loading a malicious DLL. This technique is known as DLL side-loading, a method where it appears nothing is happening as hidden code runs in the background. Once the malware establishes itself in the PC’s system, it decrypts and launches payloads using strong combinations of encryption. This often takes place directly in the PC’s memory, ensuring that there’s no evidence of malicious files left on the hard drive.
It’s also intriguing to look at how the structure of this new PlugX variant is similar to RainyDay and Turian. All three share the same encryption routines and the same DLL side-loading strategy. This similarity suggests that either multiple threat actors are involved or the attack is stemming from branches of a larger hacking group.
At the same time, Bookworm is evolving new stealth techniques. Hiding code as UUID strings, Bookworm is able to decode them in a PC’s memory to evade detection. It also goes about downloading further tools after infection, disguising this traffic through legitimate domains. Many incidents involving Bookworm have confirmed that it’s being paired with PlugX, giving the attackers multiple routes into compromised systems.
Defend Your Systems: Three Smart Moves
You should never assume that these attacks only target large firms, they could easily attack your organization and compromise your data and infrastructure. Thankfully, if you manage your security carefully, a digital disaster can be avoided. Get started by following these best tips:
- Always Update: Vulnerabilities in applications are often the easiest way for malware like PlugX or Bookworm to sneak onto your systems. Regularly updating your operating system, drivers, and software removes this risk straight away.
Monitor for Unusual Activity: Security tools which monitor for suspicious memory activity or unusual internet traffic put you in a stronger position to catch malware. If any of your apps or devices begin to behave unusually, always investigate. - Segment Your Networks and Access: There’s no reason why you should give every user full admin rights, this should only be reserved for those who need it. Likewise, segmenting your network helps stop malware from spreading across your entire infrastructure.
