How a new PlugX variant abuses DLL search order hijacking

SUMMARY :

A campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new PlugX variant. The campaign, active since 2022, shows overlaps with RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods. The new PlugX variant's configuration format resembles that of RainyDay, suggesting attribution to Naikon. Analysis of victimology and technical implementation indicates a potential connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. The malware families use similar infection chains, loaders, and shellcode structures, with shared RC4 keys for payload decryption. This campaign highlights the evolving tactics of Chinese-speaking threat actors and the potential convergence of previously distinct groups.

OPENCTI LABELS :

apt,manufacturing,naikon,telecommunications,chinese apt,rainyday,backdoordiplomacy,plugx,turian,dll hijacking


AI COMMENTARY :

1. Introduction to a New PlugX Threat The discovery of a new PlugX variant marks a significant evolution in the landscape of Chinese-speaking threat actors. This strain leverages DLL search order hijacking to inject its payload, exploiting the trusted behavior of legitimate applications. First identified in attacks dating back to 2022, this malware campaign has been active against telecommunications and manufacturing organizations across Central and South Asia. The methodical nature of the operation, combined with advanced encryption and sideloading techniques, underscores the sophistication of adversaries operating under the banners of Naikon, RainyDay, Turian, and BackdoorDiplomacy.

2. Campaign Overview and Victimology The targeted victims reside primarily within the telecommunications and manufacturing sectors, industries critical to regional infrastructure and economic stability. Threat actors have meticulously crafted spear-phishing lures that mimic internal communications, delivering weaponized documents or installers that appear legitimate. Successful exploitation triggers a chain of events culminating in the DLL hijack, where the malicious module is loaded under the guise of a genuine library. This stealthy approach has enabled the campaign to persist undetected for months, if not years, as organizations struggle to identify anomalous behaviors among routine application loads.

3. Technical Analysis of DLL Search Order Hijacking At the core of this campaign lies a DLL sideloading technique that abuses the Windows search order for dynamic libraries. Attackers place a rogue DLL within an application’s working directory to ensure it is loaded before the authentic library. Once in memory, the payload decrypts itself using an RC4 key shared across multiple malware families, then establishes command and control channels. The configuration format bears a striking resemblance to that of the RainyDay backdoor, reinforcing the theory of code reuse or shared tooling. Furthermore, the chain of infection and shellcode structures parallel those found in Turian campaigns, indicating a convergent evolution or collaboration among these groups.

4. Attribution Insights and Threat Actor Convergence Detailed forensic analysis has revealed overlapping indicators between Naikon and BackdoorDiplomacy operations, suggesting a common source for infection frameworks and loaders. Shared encryption routines and identical RC4 keys used for payload decryption point to either direct cooperation or procurement from the same malware vendor. The resemblance between configuration schemas of the new PlugX strain and the RainyDay backdoor further implicates Naikon in these operations. This convergence of tactics, techniques, and procedures blurs the lines between previously distinct Chinese APT clusters, posing a challenge for attribution and defense.

5. Implications for Security and Defensive Measures Defenders must adopt a multilayered approach to detect and mitigate DLL hijacking attacks. Application whitelisting, stringent directory permissions, and continuous monitoring of library loads can disrupt the attack chain. Implementing network segmentation and outbound traffic inspection will help isolate compromised hosts and identify beaconing behavior. Regular threat hunting focused on telemetry anomalies and encryption key reuse across incidents can uncover hidden connections between disparate campaigns. As Chinese-speaking threat actors refine their collaboration, organizations must remain vigilant, share intelligence, and update defenses to counter these evolving threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How a new PlugX variant abuses DLL search order hijacking