Full Report
Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors
Analysis Summary
# Tool/Technique: PlugX (New Variant), RainyDay, Turian
## Overview
This summary outlines a new campaign discovered by Cisco Talos active since 2022, targeting the telecommunications and manufacturing sectors in Central and South Asia. The campaign utilizes a new variant of the **PlugX** malware which shares significant overlap in technical implementation, including encryption schemes and DLL sideloading abuse, with the **RainyDay** and **Turian** backdoors. The configuration structure of the new PlugX variant strongly suggests attribution to the **Naikon** threat actor.
## Technical Details
- Type: Malware Family (PlugX variant primarily analyzed, referencing RainyDay and Turian)
- Platform: Windows (Implied by backdoor/DLL usage context)
- Capabilities: Payload delivery, persistence, potential espionage functions consistent with backdoors like PlugX, RainyDay, and Turian. Key feature is the abuse of DLL search order hijacking.
- First Seen: Campaign active since 2022.
## MITRE ATT&CK Mapping
The core technique highlighted is DLL search order hijacking, used by these malware families to load malicious code.
- **TA0005 - Persistence**
- T1574 - Hijack Execution Flow
- T1574.001 - DLL Search Order Hijacking
- **TA0003 - Persistence / TA0002 - Execution** (Implied, as these backdoors are used for maintaining access and running malicious code)
## Functionality
### Core Capabilities
- **DLL Sideloading Abuse:** All three malware families (New PlugX variant, RainyDay, Turian) were observed abusing the same legitimate "Mobile Popup Application" to load themselves into memory. This points directly to DLL search order hijacking.
- **Shared Encryption Scheme:** Loaders for the three families leverage similar XOR decryption functions and use the identical RC4 key to decrypt encrypted payloads.
- **Configuration Structure:** The configuration format of the new PlugX variant mirrors that of RainyDay, strengthening the attribution link to Naikon.
- **Encryption Algorithm:** XOR-RC4-RtlDecompressBuffer algorithm is used for payload encryption/decryption.
### Advanced Features
- **Attribution Link:** The shared techniques and configurations allow analysts to assess, with medium confidence, that this PlugX variant is attributable to Naikon.
- **Cross-Campaign Overlap:** Evidence suggests a potential connection or shared tooling vendor between Naikon (RainyDay/PlugX) and BackdoorDiplomacy (Turian).
## Indicators of Compromise
*(Note: Specific IOCs were not detailed in the provided text excerpt, only references to where they can be found.)*
- File Hashes: [Available in linked GitHub repository]
- File Names: [Not explicitly listed]
- Registry Keys: [Not explicitly listed]
- Network Indicators: [Not explicitly listed, but detection focuses on network analysis]
- Behavioral Indicators: Abuse of legitimate application for DLL loading; specific decryption routine (XOR-RC4-RtlDecompressBuffer).
## Associated Threat Actors
- **Naikon** (Medium confidence association based on configuration structure and historical use of RainyDay)
- **BackdoorDiplomacy** (Potential overlap/sharing of tools with Naikon via Turian usage)
## Detection Methods
- **Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud):** Alerts on potentially unwanted network activity.
- **Cisco Secure Malware Analytics (Threat Grid):** Identifies malicious binaries.
- **ClamAV Detections:** Win.Loader.RainyDay-10045411-0.
- **Snort Rules:** Available for download.
## Mitigation Strategies
- **Cisco Umbrella:** Blocks connections to malicious domains/IPs/URLs via Secure Internet Gateway (SIG).
- **Cisco Secure Web Appliance:** Blocks access to potentially dangerous sites.
- **Firewall Management Center:** Additional protection contingent on context.
- **Cisco Duo:** Implements Multi-Factor Authentication (MFA) for network access control.
- *General Mitigation based on TTP:* Harden file loading mechanisms to prevent illegitimate DLL loading adjacent to legitimate executables.
## Related Tools/Techniques
- **RainyDay:** Backdoor historically used by Naikon, sharing encryption/loading mechanisms with the new PlugX variant.
- **Turian:** Backdoor associated with BackdoorDiplomacy, showing technical overlap with the new PlugX variant and RainyDay.
- **PlugX:** The base malware family, exhibiting customized configuration and loading features in this variant.
- **Quarian:** Predecessor/related tool to Turian.
- **Aira-body, Nebulae:** Other backdoors associated with Naikon.