New PlugX variant “Talisman” used by famous Chinese APT

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

PlugX is a well-known malware family with samples dating back to as early as 2008. A Chinese state-backed threat actor, RedFoxtrot group, is discovered to use a new variant of the PlugX malware, Talisman. The threat actor group has staged campaigns on telecommunication and defense sectors in South Asian countries. These victims were attacked to protect the Belt and Road initiative of the Chinese government, a program that aims to establish strong socioeconomically relationships across Europe, Asia, and Africa.

PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell. Talisman is a new PlugX variant that uses a signed and safe binary to load a modified DLL and run shellcode. The shellcode is used to decrypt the PlugX RAT, which subsequently acts as a backdoor with plug-in capability. Unlike previous versions, the malware’s internal configuration signature has changed, as have other small changes inside the code.

The MITRE ATT&CK TTPs used by PlugX are:

TA0002: Execution

TA0003: Persistence

TA0004: Privilege Escalation

TA0005: Defense Evasion

TA0006: Credential Access

TA0007: Discovery

TA0009: Collection

TA0011: Command and Control

T1071: Application Layer Protocol

T1059: Command and Scripting Interpreter

T1543: Create or Modify System Process

T1140: Deobfuscate/Decode Files or Information

T1574: Hijack Execution Flow

T1056: Input Capture

T1036: Masquerading

T1112: Modify Registry

T1106: Native API

T1135: Network Share Discovery

T1095: Non-Application Layer Protocol

T1057: Process Discovery

T1012: Query Registry

T1113: Screen Capture

T1049: System Network Connections Discovery

Actor Details

Indicators of Compromise (IoCs)

References

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html