Chinese Hackers use Updated PlugX Malware to target Russian Military Personnel
Reading Time: 2 minutes

Chinese hackers are using updated PlugX Malware to target Russian military personnel. According to Secureworks, Bronze President is behind the attacks and is known in the cybersecurity community as Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

Secureworks explained in a report, “The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations. This desire for situational awareness often extends to collecting intelligence from allies and ‘friends.'”

The Bronze President hacking group has been around since July 2018.  Has a reputation for conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

PlugX malware is a Windows backdoor used by threat actors to execute a variety of commands on infected systems. Chinese state-sponsored actors over the years have been using it.

A malicious executable dubbed “Blagoveshchensk – Blagoveshchensk Border Detachment.exe ” is triggered, it masquerades as a seemingly legitimate document with a PDF icon. Opening it leads to the deployment of an encrypted PlugX payload from a remote server.

The researchers added, “Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

The researchers clarified, “Targeting Russian-speaking users and European entities suggest that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the [People’s Republic of China].” 

Trellix noted last month, “PlugX has been associated with various Chinese actors in recent years. This fact raises the question if the malware’s codebase is shared among different Chinese state-backed groups. On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors.”

Related Articles:
Critical VMware RCE flaw Exploited by Hackers to Install Backdoors
BlackCat Ransomware Breached 60-plus orgs
PoC for Recent Java Cryptographic Vulnerability Released