
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<p>Hello,</p>

<p><br>

</p>

<p>I hope everyone is doing well!</p>

<p><br>

</p>

<p>Below is the entry for today.</p>

<p><br>

</p>

<p>07/28/2021 - Diary entry #314:</p>

<p><br>

</p>

<blockquote style="margin-top:0;margin-bottom:0">

<div style="margin-top: 0px; margin-bottom: 0px;">

<p>The PKPLUG group, also known as MustangPanda and HoneyMyte, is a chinese threat actor responsible for the Microsoft Exchange Server attacks in March, 2021. During these attacks, the group deployed a variant of the malware known as PlugX, named THOR.</p>

<p><br>

</p>

<p>THOR is a RAT and it was used as a post exploitation tool on one of the compromised servers. This variant has the ability to deliver other malicious payloads and it has several samples associated to the PlugX C&C infrastructure.</p>

<p><br>

</p>

<p>To bypass anitiviruses detections and the Microsoft Exchange servers, the group employed a technique called "living off the land", covered in our Daily Diary #247. It uses legitimate binaries, in this case the BITSAdmin, to download the malicious payload

 containing the THOR malware.</p>

<br>

</div>

</blockquote>

<p><br>

</p>

<p>Kind Regards,</p>

<br>

</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<table style="font-size:medium; font-family:"Times New Roman"">

<tbody>

<tr>

<td style="width:180px" align="left">

<table width="120" align="left">

<tbody>

<tr>

<td colspan="3" align="center"><a href="https://www.appgate.com/" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="120" height="30" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png"></a></td>

</tr>

<tr>

<td colspan="3" align="center"> </td>

</tr>

<tr>

<td width="37%" align="center"><a href="https://www.linkedin.com/company/appgate-security/" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="18" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png"></a></td>

<td width="28%"><a href="https://twitter.com/AppgateSecurity" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="20" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png"></a></td>

<td width="35%"><a href="https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ" target="_blank" rel="noopener noreferrer" style="margin:0px"><img style="margin:0px" width="26" height="18" src="https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png"></a></td>

</tr>

</tbody>

</table>

<p style="margin-top:0px; margin-bottom:0px"> </p>

</td>

<td colspan="2" rowspan="2" style="width:350px">

<p style="color:rgb(12,12,12); font-size:13px; font-family:Arial,Helvetica,sans-serif; margin-top:0px; margin-bottom:0px">

<strong>Felipe Tarijon de Almeida</strong><br>

Malware Analyst<br>

<strong>Appgate</strong></p>

<p style="color:rgb(12,12,12); font-size:13px; font-family:Arial,Helvetica,sans-serif; margin-top:0px; margin-bottom:0px">

E:<span style="margin:0px"> </span><font color="#228EBE"><a href="mailto:felipe.duarte@appgate.com" target="_blank" rel="noopener noreferrer" title="mailto:felipe.duarte@appgate.com" style="margin:0px">felipe.tarijon@appgate.com</a></font><br>

O:<span> </span><span style="margin:0px; background-color:white">+55 11 97467 9549</span></p>

</td>

</tr>

</tbody>

</table>

<br>

</div>

</div>

</div>

</div>

</body>

</html>