[MART] - Daily Diary #314 - PKPLUG Group Is Using The THOR RAT in Recent Attacks

CTAS-MAT ctas-mat at appgate.com
Wed Jul 28 22:12:24 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

07/28/2021 - Diary entry #314:

The PKPLUG group, also known as MustangPanda and HoneyMyte, is a chinese threat actor responsible for the Microsoft Exchange Server attacks in March, 2021. During these attacks, the group deployed a variant of the malware known as PlugX, named THOR.

THOR is a RAT and it was used as a post exploitation tool on one of the compromised servers. This variant has the ability to deliver other malicious payloads and it has several samples associated to the PlugX C&C infrastructure.

To bypass anitiviruses detections and the Microsoft Exchange servers, the group employed a technique called "living off the land", covered in our Daily Diary #247. It uses legitimate binaries, in this case the BITSAdmin, to download the malicious payload containing the THOR malware.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210728/26a577dc/attachment.htm>

More information about the MART mailing list