DOPLUGS Backdoor

The Mustang Panda, a threat actor with ties to China, has employed a customized variant of the PlugX (also known as Korplug) backdoor, referred to as DOPLUGS, to target several Asian nations. This tailored version of the PlugX malware differs from the typical variant by lacking a fully integrated backdoor command module; instead, it is specifically designed for downloading the latter module. The primary focus of DOPLUGS attacks has been on targets situated in Taiwan and Vietnam, with lesser occurrences in Hong Kong, India, Japan, Malaysia, Mongolia and even China.

Mustang Panda is Believed to Have been Active for More Than a Decade

The Mustang Panda, also known by various aliases, such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex relies heavily on the use of PlugX as a core tool. This threat actor has been active since at least 2012, although its activities gained public attention in 2017.

The modus operandi of the Mustang Panda involves executing meticulously crafted spear-phishing campaigns designed to deliver a range of custom malware. Since 2018, the threat actor has been known to deploy its own customized versions of PlugX, including RedDelta, Thor, Hodur and DOPLUGS (distributed through a campaign named SmugX).

The compromise chains orchestrated by the Mustang Panda employ a series of sophisticated tactics. These include using phishing messages as a delivery mechanism for a first-stage payload. This payload, while presenting a decoy document to the recipient, surreptitiously unpacks a legitimate, signed executable that is susceptible to DLL side-loading. This DLL side-loading technique is then employed to load a dynamic-link library (DLL), which decrypts and executes the PlugX malware.

Once deployed, the PlugX malware proceeds to retrieve either the Poison Ivy Remote Access Trojan (RAT) or the Cobalt Strike Beacon, establishing a connection with a server controlled by the Mustang Panda. This intricate sequence of actions highlights the advanced and persistent nature of Mustang Panda's cyber operations.

The DOPLUGS Backdoor is a New Addition to the Malware Arsenal of a Cybercriminal Group

Initially observed by researchers in September 2022, DOPLUGS functions as a downloader equipped with four distinct backdoor commands. Notably, one of these commands is designed to facilitate the download of the conventional version of the PlugX malware.

Security experts have also detected variations of DOPLUGS that incorporate a module called KillSomeOne. This plugin serves multiple purposes, including the distribution of malware, collection of information, and theft of documents through USB drives.

This particular variant of DOPLUGS includes an additional launcher component. This component executes a legitimate executable, employing DLL side-loading techniques. Furthermore, it supports functionalities such as command execution and downloading the next-stage malware from a server controlled by the threat actor.

A custom-made PlugX variant featuring the KillSomeOne module, specifically designed for propagation through USB drives, was uncovered as early as January 2020 by infosec researchers. The malware was deployed as part of a series of attacks targeting Hong Kong and Vietnam.

At the end of 2023, a Mustang Panda campaign aimed at Taiwanese political, diplomatic, and governmental entities utilizing DOPLUGS was brought to light. The attack operation displayed a distinctive characteristic - the harmful DLL was crafted using the Nim programming language. Unlike its predecessors, this new variant employs a unique implementation of the RC4 algorithm for decrypting PlugX, diverging from the conventional use of the Windows Cryptsp.dll library in previous versions.