New Korplug Variant Spread by Mustang Panda: PlugX RAT Named Hodur

Researchers warn about a new cyber espionage campaign by notorious Mustang Panda APT group that has been ongoing since at least August 2021. A previously undisclosed variation of Korplug (also known as PlugX) remote access tool (RAT) has been targeting primarily Ukrainian organizations and European diplomatic missions. The new malware strain was named Hodur referencing a mythological brother of Thor, because THOR is also the name of a very similar PlugX variant that had been observed before.

Mustang Panda’s Hodur exploits the hot topic of an ongoing war between Russia and Ukraine to deliver malicious documents through phishing emails. Decoy documents are frequently updated and contain custom loaders that leverage anti-analysis techniques and control-flow obfuscation. 

New Korplug Variant Detection

To detect the malicious activity associated with the new Korplug variant and proactively enhance your cyber defense against the latest shifts by Mustang Panda, you can refer to a Sigma rule by our prolific Threat Bounty developer Furkan Celik. This rule can be used to detect files with DLL and OCX extensions.

Suspicious Mustang Panda Execution by Use of Korplug Backdoor (via file_event)

This rule is translated into the following SIEM, EDR, and XDR formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, Devo, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys, AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic and User Execution (T1204) technique. 

Discover our extensive list of previous detection items that cover a wide range of attacks associated with Korplug (PlugX) malware. Also, if you are eager to create your own detection content for Korplug RAT and Mustang Panda APT group, or other emerging threats as well, you are welcome to contribute to our Threat Bounty Program.

View Detections Join Threat Bounty

Campaigns Using Korplug: Hodur Malware Analysis

In their phishing emails, attackers tend to continuously update the subjects for messages and documents they send. For example, an attached file could be named “Situation at the EU borders with Ukraine.exe”. Otherwise, they can also attach infected documents that look like European Parliament and Council regulations or a new COVID-19 travel restriction list.

Once the executable starts running, it downloads four HTTP files:

• decoy document
• legitimate EXE file
• malicious module
• encrypted Korplug file

The last three components work together to launch side-loading of a DLL payload. Meanwhile, anti-analysis functions are identified in both the loader and payload. 

The encrypted payload writes to a device’s memory in a DAT file and then decrypts with the loader. Researchers mention that the latest variant of Korplug backdoor that they call Hodur is somewhat different from previous ones yet is quite similar with THOR when it comes to command and control (C&C) servers format, Software\CLASSES\ms-pu registry key, and the use of Static window class.

Once decrypted, the backdoor becomes active and upon checking the path from which it is running, either executes the RAT functionality or goes through an installation process and establishes persistence.

The new Korplug variant called Hodur demonstrates intricate behavior and iterative improvement of its hard-coded functionality, even over the course of one phishing campaign. Decoy documents also quickly get adjusted in accordance with the latest disturbing events in the world. As a result, SOC teams strive to upgrade and refine their defenses even faster not to give the attackers an edge in this cyberwar. Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest live pool of detection content created by reputable experts in the field which is renewed on a continuous basis in response to the latest threats.