Plug n Panda – APT Group

“Plug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China.

This APT was first observed in the first months of 2022 during an Incident Response activity.

The following article makes an in-depth analysis on how this group erases his traces to stay undetected after carrying out an attack probably because his targets are Organizations serving mission-critical environments, as in the managed case.

Is not yet known why this information is useful to the APT group nor for who they may work, anyway they seem to attack specific targets in order to find specific information regarding TELCO companies.

Other similar attacks documented on the internet that get close to “Plug N Panda” ideals and methods are listed below:

• PlugX: a Talisman to Behold
• Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector
• THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE.

For an in-depth Threat Actor analysis a dedicated article will follow

INITIAL ACCESS

One Way or Another

“Plug N Panda” attack starts with external reconnaissance targeted to identify any critical CVE that can give remote access through exploitation. It’s not that uncommon for companies in the specific target industry to expose some services to manage IoT devices or MSPs activities. If the previous way demonstrates not to be viable, then “Plug N Panda” is going to buy leaked accounts with SSL-VPN access to finally gain internal access into the target infrastructure. Recently analyzed attacks show a pattern that repeats until a total compromise of target infrastructure is achieved.

Talisman PlugX – A DLL sideloading technique

In this article we are going to analyze an uncommon way to execute a ransom payload through an actual Antivirus Product’s digitally signed executable.

In addition, this specific case is pretty tricky to examine through dynamic analysis, in fact many of the executed child processes and commands are obfuscated using (apparently) nonsense numeric strings as parameters that will be lately replaced in memory as you will see in the following analysis.

Technical Details – (Log.dll) Static Analysis

DLL IMPORTS

As it can be seen the malware loads “Kernel32.dll”, “psapi.dll” and “Shlwapi.dll”. Those dynamic link libraries grant the binary access to almost all core Windows functions, process handlings and DLL utilities.

Just by looking at them it is easy to suppose that a process injection / hollowing is likely to happen.

PE Sections

PE directories don’t disclose too much information, but the fact that some areas may be packed with “UPX1” packer.

Plug n Panda – PE DirectoriesThe “Optional Header” section confirms the previous statement like the Binary Sections do.

Arguments list

Log.dll has three arguments for “run”, “nodel” and config file path for “config.ini”.

Unfortunately, “config.ini” file is fully encrypted. Part of its content, extensions of files that won’t be encrypted and the extension (.k1.k2.k3) added on encrypted files, is shown below, after having been recovered from memory through dynamic analysis.

Another information gathered from memory is a list of all the processes that are being checked for execution (probably to kill them) as it is shown in the next snippet:

Reading the software list carefully, it is possible to notice a Chinese named software “zhudongfangyu” that resemble to be “360 安全 卫士 (360 Safe Guard), a common security software for Chinese users developed by Qihoo360.

Anti-Debugging INT 3 Function

During reverse engineering we encountered (as expected) an “int 3” anti-debugging function, this piece of code is a specific opcode that has the purpose to call debugger at runtime looping the process and preventing the execution to proceed. This kind of techniques are avoided by replacing all the references pointing to this function with “nop” instructions.

Low Level Syscalls

During execution many low level system calls have been detected, those are commonly used by attackers to hide their tracks by interacting with the OS at the lowest possible userland level.

This type of Syscalls can lead to Security software bypass and they make reverse engineer’s life harder because of the absence of usual imports that generally describe binary runtime activities.

Technical Details – Dynamic Analysis

Brief description and hashes:

• exe (MD5: 6F0254412736E446B49E9DC0A08337D9) à BitDefender service executable with valid Digital Signature
• ini (MD5: D00E4E18825F67A3CA1A190F01B18175) à Encrypted configuration file
• dll (MD5: 10866465A9B0C56AF2CD093B80CDBC9F) à Ransomware main binary

To execute the main payload, it is necessary to spawn a cmd or powershell shell using the following command

bdsrv.exe –run=3306 –nodel=1

where “–run=3306” switch sets the main workflow that will be used to kill (in this case) mysql related services. Anyway the payload does not start using any parameter other than “3306”.

“–nodel=1” tells the malware to either delete itself or not, the value can be “0” for malware deletion or “1” to let it stay resident in the specified path.

From now on “Notepad.exe” will be the container for the payload “log.dll” and the malicious environment is ready to start disabling some core Windows functionalities and services to ensure a complete machine encryption that does not forget to move laterally using GPOs and Shared Folders.

Plug n Panda – Process Execution Tree

Following a list of all commands executed by the payload:

1. Disable Shadow Copies via “vssadmin.exe”
2. Create a secondary partition via “bcedit.exe” and sharing it with the network
3. Delete and disable Windows backups via “wbadmin.exe”
4. EVTX Application and System deletion via “wevutil.exe”
5. Stop the following services via “net1.exe” / “net.exe”
   1. MSDTC
   2. SQLSERVERAGENT
   3. MSSQLSERVER
   4. Vds
   5. SQLWriter
   6. SQLBrowser
   7. MSSQL$CONTOSO1 (CONTOSO1 will then be replaced in memory with the attacked domain name)
6. Use NETSH to disable some Microsoft Defender components
7. Create a copy of itself and all the files it needs for operations in \\Sysvol\
8. Create Group Policies to force payloads execution previously copied in \\Sysvol\  for the entire domain infrastructure

As we can clearly see all the command arguments executed by the hollowed notepad process are obfuscated using a long “1” char repetition that will be replaced at runtime after the utility process memory has been fully allocated.

Plug n Panda – Child commands with “nonsense” arguments (2)

Data encryption begins in a separate process from the BitDefender executable (Notepad.exe Main Thread) as seen in the image below.

Prevention & Hunting

Yarix Labs is constantly working to trace APT Groups movements by profiling techniques and attack patterns to provide one of the bests Security Services to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.

APPENDIX

Indicators of compromise

What follows are all the IoCs identified during malwares analysis done to draft the current article

 Author

Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.