Try Taegis XDR
0 Results Found
              Back To Results
                Close Try Taegis XDR
                Research & Intelligence

                BRONZE PRESIDENT Targets Government Officials

                The likely Chinese government-sponsored threat group uses decoy documents and PlugX malware to compromise targets. By: Counter Threat Unit Research Team

                In June and July 2022, Secureworks® Counter Threat Unit™ (CTU) researchers identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America. PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.

                The malware is embedded within RAR archive files. Opening the archive on a Windows computer with default settings displays a Windows shortcut (LNK) file (see Figure 1) that masquerades as a document.


                Figure 1. Content of RAR archive file. (Source: Secureworks)

                Alongside the shortcut is a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters (see Figure 2). This tiering is likely to bypass mail-scanning products that may not traverse the entire path when scanning content, suggesting that the delivery mechanism was phishing emails, as there is no other benefit to creating such a folder structure.


                Figure 2. Malicious files contained within hidden folder. (Source: Secureworks)

                To execute the malware, the recipient must click the Windows shortcut file. The shortcut executes a renamed legitimate file contained in the eighth hidden folder. Alongside the legitimate file is a malicious DLL and an encrypted payload file. CTU™ researchers observed the malicious payload using the folder names and filenames in Table 1.

                Shortcut file Hidden folder Legitimate binary Malicious DLL Encrypted PlugX payload
                HU proposals to the draft EUCO conclusions.pdf.lnk ` Opera.exe (renamed test.tmp) opera_browser.dll operaDB.dat
                Embassy of the Republic of Suriname 2022-N-033.pdf.lnk ` Opera.exe (renamed mail.tmp) opera_browser.dll operaDB.dat
                Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk # Opera.exe (renamed test.bpl) opera_browser.dll operaDB.dat
                EL Non-Paper Pandemic Resilience final.docx.lnk #### Adobe Stock Photos Cs3.exe (renamed test.chs) Adobe_Caps.dll AdobePlugin.dat
                313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.pdf.lnk ` AvastBrowserUpdate.exe (renamed winrar.chm) Goopdate.dll AvastDB.dat
                EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk _ AvastBrowserUpdate.exe (renamed chrom.uce) Goopdate.dll AvastDB.dat
                NV 309-2022 HMA's departure.pdf.lnk # Opera.exe (renamed test.chm) opera_browser.dll operaDB.dat

                Table 1. Filenames used in PlugX campaign.

                The legitimate binary files are vulnerable to DLL search order hijacking. When executed, they import the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname "desktop-n2v1smh" or "desktop-cb248vr".

                Once running, the payload drops a decoy document to the logged-on user's %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern "<Application><3 characters>" (e.g., Operavng) (see Figure 3). This naming scheme has been used in previous BRONZE PRESIDENT PlugX campaigns. CTU researchers observed that when the payload performs the copy operation, it names the legitimate executable with its usual name (e.g., Opera.exe, AdobePlugin.exe, AvastBrowser.exe).


                Figure 3. PlugX files copied to ProgramData subdirectory. (Source: Secureworks)

                The political nature of the decoy documents suggests that the government officials of various countries are targets for BRONZE PRESIDENT's intelligence collection efforts (see Figures 4, 5, and 6). The threat group consistently targets China's neighbors such as Myanmar and Vietnam. However, its collection requirements can change quickly and are often driven by geopolitical events such as the war in Ukraine.


                Figure 4. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)


                Figure 5. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)


                Figure 6. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)

                PlugX sets up persistence on the host by setting a registry Run key (see Figure 7).


                Figure 7. PlugX registry configuration. (Source: Secureworks)

                The running instance of the PlugX payload executes the copy of the legitimate file under ProgramData, passing it a command-line argument before exiting (see Figure 8). Passing command-line arguments lets the malware adapt its execution based on its execution location. CTU researchers observed this tactic in previous BRONZE PRESIDENT PlugX campaigns. Once running, the legitimate file again imports the malicious DLL in the same folder, loading, decoding, and passing execution to the malicious payload file.


                Figure 8. PlugX process execution with command-line argument. (Source: Secureworks)

                The payload file calls GetCommandLineW to check the number of arguments. If an additional argument follows the file path, the malware opens the decoy document previously dropped to the user's %Temp% folder and continues execution with its C2 routine.

                The malicious DLLs and payloads are heavily obfuscated to hinder analysis and to reduce the likelihood of detection by host-based security software. The malicious DLL executes its payload using an unusual technique. Instead of using a call or jmp instruction, it first decodes and copies the payload to a new allocation of memory and then makes a call to EnumThreadWindows to pass execution to the start of the malicious payload file (see Figure 9).


                Figure 9. Malicious DLL calling EnumThreadWindows. (Source: Secureworks)

                The start of the payload file is treated as executable code in the same way as a Cobalt Strike stageless payload artifact. This could be a tactic developed by BRONZE PRESIDENT to increase the likelihood of its malware being misidentified as the popular Cobalt Strike tool.

                The payload resolves various required Windows functions. It then starts a new thread that makes repeated calls to CheckRemoteDebuggerPresent, exiting if it detects a debugger.

                Figure 10 shows the payload preparing to decode its configuration. The values pushed to the stack are key length, key, data length, and data address. The key is used as a multibyte XOR value. All observed key value lengths are nine bytes, and their values vary across samples.


                Figure 10. PlugX calling its configuration decode function. (Source: Secureworks)

                Figure 11 shows the beginning of the decoded configuration, including the installation directory, mutex name, and the name of the decoy document associated with the sample.


                Figure 11. PlugX configuration data. (Source: Secureworks)

                BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies.

                To mitigate exposure to this malware, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 2. Note that IP addresses can be reallocated. The IP addresses may contain malicious content, so consider the risks before opening them in a browser.

                Indicator Type Context
                c285eaea0fe441f550479f7ef85a3dd0 MD5 hash Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)
                41d61af1d61d6e1c4718132e64268005
                ce362b36
                SHA1 hash Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)
                4cd7d84e464a2786446df623629aa7e2
                e6c776c9a870278eb39b54c5fba05044
                SHA256 hash Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)
                3a94449d664033955012edac0161b2b8 MD5 hash Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk)
                91192be3288369f341951143a81c890c
                11e23726
                SHA1 hash Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk)
                254739e88ba4b4e62c5e2a313303b4bc
                679faabe21e7d9c483a2bee846a9dcbc
                SHA256 hash Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk)
                370557aa593c96533e5994d073ddd202 MD5 hash Malicious DLL that loads PlugX (opera_browser.dll)
                81e8fb5149fda8e1231c9f0f22001cea
                5b70429b
                SHA1 hash Malicious DLL that loads PlugX (opera_browser.dll)
                9adf5dd03388fab2866014d0551881d6
                e85c7ac94ef5ccf58deb50a83f8a5d50
                SHA256 hash Malicious DLL that loads PlugX (opera_browser.dll)
                2a1fc50626afbcc6d8fbda3c65d6cc2b MD5 hash Encrypted PlugX payload (operaDB.dat)
                c378c0716bf20ebc83403871ae9d96a2
                717f7599
                SHA1 hash Encrypted PlugX payload (operaDB.dat)
                d556d7603178a7e4242c01fa5e490ea4
                589707eeeab2f3c6c4966bd9b912bd59
                SHA256 hash Encrypted PlugX payload (operaDB.dat)
                041a00485779c5a9e42d803e730ceb6c MD5 hash Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar)
                bd6e5031067724d51abfc2cd2d0fb5ad
                eed33868
                SHA1 hash Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar)
                77a61de438f618fab6e75a920e4ca675
                6917e501f390b8b4f50c3005505bf488
                SHA256 hash Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar)
                3277b31aa055bc149af8c37699019586 MD5 hash Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022-N-033.pdf.lnk)
                d0d6618fc79ffa3de2aec58603539a29
                4a0bc203
                SHA1 hash Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022-N-033.pdf.lnk)
                94e76db201d4998394effae2c132730f
                f958bf6553f6dd08d0d5856ecb5e8a84
                SHA256 hash Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022-N-033.pdf.lnk)
                675ccbd9318414e2eb0dcabf8a387723 MD5 hash Malicious DLL that loads PlugX (opera_browser.dll)
                89f187c9f76d8afa2b6a8c54fa0bc105
                63e0169b
                SHA1 hash Malicious DLL that loads PlugX (opera_browser.dll)
                abea565d16ec5724591331d962d5cf02
                37f4628f8cb21b96592c09cc002b10c2
                SHA256 hash Malicious DLL that loads PlugX (opera_browser.dll)
                5d71c482148a76900888c8e1d382d413 MD5 hash Encrypted PlugX payload (operaDB.dat)
                6637e077ea52dc62cd31b1a868b3c222
                953b8aa9
                SHA1 hash Encrypted PlugX payload (operaDB.dat)
                02375309e74e91b96c0a41f577f3e4b9
                94f3b406abe0619ee6ad69d00e810093
                SHA256 hash Encrypted PlugX payload (operaDB.dat)
                0e37ed727cdb8ae96a50df6391991cc1 MD5 hash Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar)
                5285fedf930ccb1acf418c52d581e535
                504aac76
                SHA1 hash Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar)
                cbc2d11cb9a495d4697c783cd2aa711a
                5691d3c257ddb95960d27c96f62c15c1
                SHA256 hash Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar)
                788cf16121782b4358dc8350012470ab MD5 hash Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk)
                63d63b96ef50a4002d3acf8f50bc2b62
                d1ec46c4
                SHA1 hash Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk)
                3cdd37d2459779bd17dd47d4dd7f0df6
                fc59f5208b67b4e4a259c98d8b4788d9
                SHA256 hash Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk)
                3e004dd25b5e836bc2500098c55a2b6d MD5 hash Malicious DLL that loads PlugX (opera_browser.dll)
                602a80e0924a65316cafc48356fe527e
                427c291f
                SHA1 hash Malicious DLL that loads PlugX (opera_browser.dll)
                7c29f4a79f74f8b299fb9e778322b002
                21e9992d0ac6d2bd915da6629516fa2f
                SHA256 hash Malicious DLL that loads PlugX (opera_browser.dll)
                5536783ddc6c15e3e8aef2a756536020 MD5 hash Encrypted PlugX payload (operaDB.dat)
                0809275ecacd52869b43bf4e9804e309
                c6bb00b7
                SHA1 hash Encrypted PlugX payload (operaDB.dat)
                910c0e5532a94856e8c9047e8c951e21
                345bec4ca6b6950cc5ef0da102d2efab
                SHA256 hash Encrypted PlugX payload (operaDB.dat)
                0e91279b5f7f732106077ab10aa08c58 MD5 hash Malicious RAR file containing PlugX (EL Non-Paper Pandemic Resilience final.rar)
                b4aa56abac4a19aedcda87ef2fb7c8bb
                beb3bf64
                SHA1 hash Malicious RAR file containing PlugX (EL Non-Paper Pandemic Resilience final.rar)
                4bbb10842941e9004c5449966fca1648
                491618ec7841e6befd3e848d75407a10
                SHA256 hash Malicious RAR file containing PlugX (EL Non-Paper Pandemic Resilience final.rar)
                1f47ba7fd131a1a6f7623d76b420d7e9 MD5 hash Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk)
                07c5e675714a1af618d8eb1f370be127
                63138343
                SHA1 hash Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk)
                bf46f4724e5a3b05130df40142446840
                33feadb1c10d8309b7e3069a4b014a88
                SHA256 hash Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk)
                7c3a5bbbfb53d4eb91cd174527460824 MD5 hash Malicious DLL that loads PlugX (Adobe_Caps.dll)
                a6b2c6052ee686e204ad0fbe8d314985
                57a3f4ad
                SHA1 hash Malicious DLL that loads PlugX (Adobe_Caps.dll)
                840426f9d4d9eb535f5963f76f7cdf84
                de084f352dfc0ebc7332b2b4827782e7
                SHA256 hash Malicious DLL that loads PlugX (Adobe_Caps.dll)
                459b4b1edd018ba31242b4780ec39a78 MD5 hash Encrypted PlugX payload (AdobePlugin.dat)
                f8ae9ea9ca603dfc10a309b052dc57ee
                0b75021d
                SHA1 hash Encrypted PlugX payload (AdobePlugin.dat)
                545e2c9965dc0449bb652ae2fb3d1f74
                3741ce4f18c045dc50a3f571a1f267f5
                SHA256 hash Encrypted PlugX payload (AdobePlugin.dat)
                493cb5056dee306ac2c93af2285ad9d8 MD5 hash Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.rar)
                dcc6edf9c40f9c3f914416805252e11a
                ecb2e5ad
                SHA1 hash Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.rar)
                325736437e278bccd6f04e0c57f72be7
                e1b4787b10743d813581cfc75dc4888f
                SHA256 hash Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.rar)
                f6b365fad2dba5c7378df81339bb3078 MD5 hash Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.pdf.lnk)
                710bc29b56da533cae0ed5bba47916b8
                11479ee8
                SHA1 hash Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.pdf.lnk)
                eab73a44642e130091177ed2a7938c67
                d2411ccf81141a96bdb5116678ac97c2
                SHA256 hash Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMAN-RIGHTS-REPORT.pdf.lnk)
                5c56ac14f1245fecc7fa930bb49a0f7d MD5 hash Malicious DLL that loads PlugX (goopdate.dll)
                95f0de261ff57e67d666277b86783650
                89853d45
                SHA1 hash Malicious DLL that loads PlugX (goopdate.dll)
                b7f6cf8a6a697b254635eb0b567e2a89
                7c7f0cefb0c0d4576326dc3f0eb09922
                SHA256 hash Malicious DLL that loads PlugX (goopdate.dll)
                c94f930fee694db7253e7784ca3adc87 MD5 hash Encrypted PlugX payload (AvastDB.dat)
                04afecffaaff12058e07bcbda65dbbb6
                1cdea762
                SHA1 hash Encrypted PlugX payload (AvastDB.dat)
                13e60a836d64ce6d18059c82c2c0c1a3
                af0fce87e16d85f26e4b665d4e24e1b1
                SHA256 hash Encrypted PlugX payload (AvastDB.dat)
                e2fe6c54cb4a9a45fbc6f7eb3a9c4fbf MD5 hash Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar)
                85d8da08ba6ce60b9116c0c93f8d8c9e
                4fa7f24c
                SHA1 hash Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar)
                09fc8bf9e2980ebec1977a8023e8a294
                0e6adb5004f48d07ad34b71ebf35b877
                SHA256 hash Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar)
                c004559076a1d21e50477580526f2d9f MD5 hash Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk)
                840c535120ed91eb88d32abe6fcc06d5
                b3053674
                SHA1 hash Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk)
                a693b9f9ffc5f4900e094b1d1360f7e7
                b907c9c8680abfeace34e1a8e380f405
                SHA256 hash Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk)
                af7b0e51f1572601889994f36b0a9d7a MD5 hash Malicious DLL that loads PlugX (goopdate.dll)
                0d7daad1d60f2ed2e23188aab1f3bbab
                f3ad0b63
                SHA1 hash Malicious DLL that loads PlugX (goopdate.dll)
                bda43368b62971b395c8fbcc854b6e9d
                113b3e26931214568e1df6201c1dfd0c
                SHA256 hash Malicious DLL that loads PlugX (goopdate.dll)
                1409c055064becf02ed074b6d0976feb MD5 hash Encrypted PlugX payload (AvastDB.dat)
                bb9803312d697d4cac5f7a2bec57da73
                b4d88486
                SHA1 hash Encrypted PlugX payload (AvastDB.dat)
                dfa01872aab09f04fcb9eca3653bd0fb
                c6968d040b12aedb93050d363e964891
                SHA256 hash Encrypted PlugX payload (AvastDB.dat)
                d3129539bc1e1c6cce321693be186522 MD5 hash Malicious RAR file containing PlugX (NV 309-2022 HMA's departure.pdf.rar)
                d640592b13b6983a38948f733a4b4621
                cdaf2530
                SHA1 hash Malicious RAR file containing PlugX (NV 309-2022 HMA's departure.pdf.rar)
                69ba51fe80ef91fb0b7280d16290a249
                41d3a131cee43f4379821f44d089d63e
                SHA256 hash Malicious RAR file containing PlugX (NV 309-2022 HMA's departure.pdf.rar)
                07e9c84bee28450b1ec24a6f06016802 MD5 hash Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk)
                4d15d67e1175f36be7b14c9474102d09
                82ea97b8
                SHA1 hash Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk)
                924fffea4d0a4710d71b507523d76a85
                4f06d4b9e64eb9074c04e1ec34141a53
                SHA256 hash Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk)
                a510e7b3e447a090cd3f41c4a1a9bd3a MD5 hash Malicious DLL that loads PlugX (opera_browser.dll)
                d30791be1bf9d2247faa6dfbeb9c132e
                9990b401
                SHA1 hash Malicious DLL that loads PlugX (opera_browser.dll)
                023d3bce6f1bcf6c15eb839a4e28c488
                8a346beaad74afce50cf30f4d911e70d
                SHA256 hash Malicious DLL that loads PlugX (opera_browser.dll)
                e819924ea9fa0c53634b306648cb9a84 MD5 hash Encrypted PlugX payload (operaDB.dat)
                70f36366b579ba344f9e90ec63b0e273
                fe6526e0
                SHA1 hash Encrypted PlugX payload (operaDB.dat)
                4b7c37ca79536f2692c64dfdc1b70738
                ceeb74ef7ba9e78d8f8db1dfa7ea64ef
                SHA256 hash Encrypted PlugX payload (operaDB.dat)
                64.34.205.41 IP address PlugX C2 server
                69.90.190.110 IP address PlugX C2 server
                104.255.174.58 IP address PlugX C2 server

                Table 2. Indicators for this threat.

                If you need urgent assistance with an incident, contact the Secureworks Incident Response team.

                Close Modal
                Close Modal