Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.
AhnLab Security Emergency Response Center (ASEC), in a new reviewit said it marked the continued abuse of the flaws to deliver various payloads to compromised systems.
This with the the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list.
The modular malware is widely used by China-based threat actors, with new features constantly being added to help perform system control and information theft.
In attacks observed by ASEC, successful exploitation of the flaws is followed by the execution of a PowerShell command that retrieves an executable and a DLL file from a remote server.
This executable is a legitimate HTTP Server Service from the cybersecurity company ESET, which is used to load the DLL file through a technique called DLL side-loading and ultimately run the PlugX payload in memory.
“PlugX operators use a high class of trusted binaries that are vulnerable to DLL Side-Loading, including many anti-virus executables,” Security Joes mentioned in a September 2022 report. “It has proven effective while infecting victims.”
Discover the Hidden Risks of Third-Party SaaS Apps
Do you know the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize risk.
The backdoor is also notable for its ability to start arbitrary services, download and execute files from an external source, and drop plugins that can harvest data and propagate using the Remote Desktop Protocol (RDP).
“New features are being added to [PlugX] even today as it continues to see continuous use in attacks,” ASEC said. “Once the backdoor, PlugX, is installed, threat actors can gain control of the infected system without the user’s knowledge.”