![]() The configuration decryption routine that is used within PlugX’ modified DLL to decrypt Talisman differs from both aforementioned samples. Once decrypted, a new PE file is uncovered, which is PlugX’ main component, to which the execution is then transferred. The shellcode is called in the “DllMain” function the moment the DLL is attached to the executable. In this case, the DLL has only a single purpose: execute shellcode to decrypt a fake log file. ![]() The DLL is loaded by the benign executable, as it normally would. In addition to the filenames, we detected another type of execution chain consisting of a self-extracting SFX RAR file with the name “sys.exe” that drops the three related RasTls files to disk and executes them.ġc0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97 ![]() The table below lists the different observed filenames for the legitimate executables, the Talisman DLL loader and the encrypted Talisman in the analyzed samples. Most Talisman PlugX samples we analyzed consist of three-file long execution chains abusing the DLL sideloading technique, which is consistent with the tactics, techniques, and procedures of Chinese state-sponsored threat actors that use this type of execution to launch their malware to evade detection by security solutions. In the sample we are analyzing, the legitimate executable has the name SNAC.exe, the Talisman DLL Loader is named WGXMAN.DLL, and the encrypted and compressed Talisman payload is named SNAC.LOG. Lastly, a third binary file, containing the encrypted Talisman payload, is decrypted by the DLL to complete the full chain of execution. Sideloading a DLL is a commonly seen technique in various PlugX variants, as is also described on the respective MITRE ATT&CK page. The sole purpose of the first stage is to load a DLL which has been modified by the attacker. The signed executables in this campaign have been created by security companies. The first stage of the malware is a benign executable which is used to evade the prying eyes of security products as valid signatures often help to indicate the trustworthiness of a binary. Below, a visual overview of the malware’s stages is given. In the coming sections, we will highlight interesting segments of the malware. Talisman has some differences with other PlugX versions. These articles describe other versions of PlugX and were of help to us during the analysis of this variant to both understand and compare the different iterations of the malware. Within the analysis of the PlugX Talisman variant, we will reference the THOR variant of PlugX, which was discovered by Unit42, as well as an earlier version of PlugX documented by DrWeb. One such initiative is the Belt and Road Initiative, via which China aims to establish strong social economical relationships across Europe, Asia, and Africa via trade. The victims were in South Asia in the Telecommunication and Defense sectors, and align with China’s geopolitical interests. Based on this, Trellix attributes this campaign with medium confidence to the Chinese state-backed RedFoxtrot group. In the case of Talisman, there is more evidence which points towards a Chinese state-backed actor than a simple change in the malware’s codebase, such as the overlaps in the used infrastructure, which is also present in Recorded Future’s research. This also means that not all PlugX samples are necessarily tied to Chinese actors, although it a prevalent tool in their kit. The PlugX source code has allegedly circulated online already. We want to mention that a change within the PlugX malware alone does not mean a new threat actor has emerged. Unlike other versions, the malware’s internal configuration’s signature is different, as well as other minor changes within the code. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities. ![]() Talisman is a newly discovered PlugX variant which follows the usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. First, the malware’s technical details will be discussed, after which the infrastructure, attribution, and victimology will be covered. This blog covers a PlugX variant that we have named Talisman, a name we based on comparisons with other PlugX variants, and its rather long life since it first emerged in 2008. By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil įor over a decade, the PlugX malware has been observed internationally with different variants found around the world.
0 Comments
Leave a Reply. |