Mustang Panda Leverages Multi-Stage Attack Chain to Deploy PlugX RAT
Chinese state-sponsored group Mustang Panda is using a sophisticated, multi-stage attack chain involving a fake browser update and DLL sideloading to deploy the PlugX remote access trojan.
A sophisticated cyberattack campaign orchestrated by the well-known Chinese state-sponsored threat group Mustang Panda has been identified, utilizing the PlugX remote access trojan (RAT). The campaign employs a multi-stage infection chain that begins with a deceptive lure: a fake browser update designed to trick unsuspecting users into downloading a malware loader. This loader then quietly installs components onto victim systems, establishing communication with a remote command-and-control (C2) server. The intricate design of this attack, where each stage is carefully separated and dependent on the others, makes it particularly challenging for security tools to detect by analyzing individual files in isolation.
Security researchers at BlueCyber first observed this campaign, detailing a technical breakdown that highlights the layered approach. The infection process commences with two suspicious files: Browser_Update.zip, an archive, and a masqueraded image file named iis.jpg. Both files were flagged as malicious by multiple security vendors on VirusTotal. BlueCyber's analysis revealed that the attack chain is segmented into numerous small layers, with each layer performing a specific task. This modular design helps the malware evade static detection methods and slows down reverse engineering efforts by security analysts.
The initial dropper, Browser_Updater.exe, presents a convincing fake update window that mimics the appearance of an Adobe Acrobat update, complete with functional 'Install' and 'Cancel' buttons. To further enhance its legitimacy, the executable carries digital signatures from a Chinese company, aiming to appear trustworthy. Upon user interaction with the 'Install' button, the dropper silently contacts a remote server to download what appears to be a JPEG image. However, this file is actually a hidden MSI installer that proceeds to drop three critical files onto the compromised system: Avk.exe, Avk.dll, and AVKTray.dat.
A key element of the deception lies in the use of Avk.exe, which is a legitimate, digitally signed binary belonging to G DATA AntiVirus. This legitimate executable is exploited to load the malicious Avk.dll through a technique known as DLL sideloading. Because Avk.exe is signed by a reputable vendor, it bypasses many security checks that would typically flag a standalone malicious executable. Avk.dll then acts as an intermediate loader, employing a runtime hashing technique to resolve Windows Application Programming Interfaces (APIs) without exposing them through static analysis, further obscuring its malicious intent.
The malicious DLL reads the encrypted payload contained within AVKTray.dat. It then grants the payload execute permissions in memory and initiates its execution via a Windows threadpool callback. This method is designed to mask the true origin of the execution from security monitoring tools. The payload itself undergoes multiple decryption stages, including XOR and RC4 decryption using the specific key 'VOphJo', before being manually mapped into the system's memory. This in-memory execution prevents the malware from being written to disk as a conventional executable file, making it harder to detect through file-based scanning.
Once the PlugX implant is loaded and operational, it establishes communication with its command-and-control server located at fruitbrat[.]com over port 443. The C2 communication utilizes HTTPS to blend in with legitimate web traffic, making network-level detection more difficult. The malware crafts its requests to mimic those of the Microsoft Edge browser, further enhancing its stealth. A unique client ID is stored in the Windows registry to identify the infected machine to the remote server. The implant boasts extensive command capabilities, including the ability to download and execute arbitrary files, launch processes and capture their output, upload and download file data in chunks, enumerate and delete files, and disable diagnostic tools like iediagcmd.exe to prevent detection by administrators.
Security researchers advise organizations to monitor for the presence of Avk.exe, Avk.dll, and AVKTray.dat, particularly in directories such as %PUBLIC%\GData or %LOCALAPPDATA%\pZhozR. Additionally, vigilance regarding Windows Run registry key entries pointing to Avk.exe with trailing numeric arguments is recommended. BlueCyber emphasizes that a comprehensive tracking of the entire behavior chain, rather than relying solely on individual Indicators of Compromise (IoCs), offers the most robust defense against this and future variants of PlugX malware.