Chinese Hackers target Russian Government With an Updated Malware Variant

Chinese Hackers Target Russian Government Personnel with an Updated Malware Variant

A Chinese hacking group has been discovered targeting Russian government officials with an updated malware variant known as PlugX. The PlugX malware is a Remote Access Trojan (RAT), which was first seen in 2008 and has been used in several attacks, mostly by chinese cyber-espionage groups.

Secureworks, which tracks groups such as Mustang Panda and Bronze President, said that while the group was involved in targeting European governments, it was simultaneously targeting Russian personnel close to the chinese border.

How the Chinese Hackers Operated

A malicious file named “Blagovenshchensk – Blagovenshchensk Detachment” was found, according to Secureworks, the threat actors made the malware document look legitimate with a PDF icon, but when opened leads to the deployment of an encrypted PlugX payload from a remote server.

Blagovenshchensk is a Russian city close to the Chinese border and is home to the 56th Blagovenshchensky Red Banner Border Guard Detachment. This connection suggests that the file was used to target Russian officials familiar with the region.

When the malicious file is launched, it fetches four files from a staging server, including a decoy written in english, a legitimate executable file from UK-based Global Graphics Software Ltd, a malicious DLL downloader and an encrypted payload which the researchers believe is the PlugX malware.

The decoy document emphasizes on the current situation surrounding Belarus and the sanctions of the European Union(EU) while the other three files were used to execute PlugX malware on computers through a DLL search order hijacking.

The researchers claimed that the war in Ukraine has allowed many countries to deploy their cyber capabilities and gain insight about world events, political and economic machinations, and motivation.

They further stated that Bronze President appears to be changing its target in response to the political situation in Ukraine, targeting European and Russian-speaking entities and has received “updated tasking that reflects the changing intelligence collection requirements.”

There have been various attacks by different chinese threat actors using the PlugX malware, which brings up the question if the malware code is distributed among Chinese-state-backed hackers groups. The alleged leak of the PlugX V1 builder by Airbus indicates that not all occurrences are necessarily tied to chinese threat actors, the researchers stated.