Cybercriminals have made significant progress in their capabilities to exploit bugs in remote desktop software like Sunlogin and AweSun. In a report by Ahnlab Security Emergency Response Center (ASEC), The most recent payload used on compromised systems for exploiting remote desktop applications vulnerabilities is PlugX. The list still includes the Sliver post-exploitation framework, Gh0ST RAT, Paradise ransomware, and XMRig bitcoin miner.
Further discoveries by ASEC have revealed the execution of a PowerShell command to retrieve an executable and a DLL file from a remote server after the vulnerability has been successful exploit. Analysis of the executable revealed a legitimate HTTP server from ESET dedicated to loading a DLL file through DLL side-loading technique but utilized by threat actors to run the PlugX payload in memory.
Another report from Security Joes in September 2022 revealed the operation of PlugX operators by suggesting the use of a wide variety of trusted binaries vulnerable to DLL Side-Loading, with numerous anti-virus executables.
“When the backdoor, PlugX, is installed, threat actors can gain control over the infected system without the user’s knowledge.” additional research has shown that the threat actors based in China use this malware to effectively steal data and elevate privilege, as evident in the frequent feature updates. Despite the continuous efforts to reduce malware exploitation, ASEC confirmed continuous update delivery and said, “New features are being added to PlugX even to this day as it continues to see steady use in attacks.”
Further investigation into the backdoor by ASEC has revealed its capacity to launch arbitrary services, external access sources for file execution and download, install plugins for data collection, and use Remote Desktop Protocol (RDP).
,){kind=link}