Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.

PlugX is a staple tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It’s known to be active since at least 2012, although it first came to light in 2017.

The threat actor’s tradecraft entails carrying out well-forged spear-phishing campaigns that are designed to deliver a variety of custom malware. It also has a track record of deploying its own customized PlugX variants such as RedDelta, Thor, Hodur, and DOPLUGS (distributed via a campaign named SmugX) since 2018.

The PlugX malware subsequently retrieves the Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a Mustang Panda-controlled server.

Trend Micro said it also identified DOPLUGS samples integrated with a module known as KillSomeOne, a plugin that’s responsible for malware distribution, information collection, and document theft via USB drives.

This variant comes fitted with an extra launcher component that executes the legitimate executable to perform DLL-sideloading, in addition to supporting functionality to run commands and download the next-stage malware from an actor-controlled server.

“This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionalities and features,” the researchers said. “The group remains highly active, particularly in Europe and Asia.”