PlugX Malware Detection: Bronze President Crime Ring Uses Post-Exploitation Modular RAT in the Latest Crime Wave

Bronze President

A China-backed crime ring tagged Bronze President launched a campaign targeting government officials in Europe, the Middle East, and South America leveraging PlugX malware – the backdoor popular among Chinese hacker gangs.

According to the researchers, the major objective of the threat group is espionage.

Detect PlugX Malware

SOC Prime delivers Threat Hunting & Cyber Threat Intelligence for accelerated SOC operations, leveraging the benefits of a code-driven approach for scalable and effective security practices. The following Sigma-based rules released by SOC Prime’s Threat Bounty developers Wirapong Petshagun and Zaw Min Htun (ZETA) help security practitioners detect whether the systems were exposed to PlugX malware:

Possible detection of Chinese government-sponsored BRONZE PRESIDENT’s PlugX Activity via Registry Event

Possible PlugX RAT Loader Execution by Detection of Loaded DLL File (via image_load)

The detections are available for 26+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10.

Follow the upcoming releases in order to not miss fresh SOC content items related to this campaign. Get instant access by clicking the Explore Detections button.

Explore Detections  

PlugX Malware Analysis

The Bronze President criminal hacker group, aka Mustang Panda, HoneyMyte, Red Lich, Temp.Hex., TA416, and RedDelta, use closed- and open-source malicious software to compromise entities in a wide array of industry sectors since 2018. Among the tools that the threat actors use are both legitimate and malicious software such as Cobalt Strike, China Chopper, ORat, and RCSession.

The cluster’s Modus operandi suggests that it is either merely tolerated by the Chinese government or even tasked by it.

In Spring 2022, threat analysts from ESET released a detailed write-up on the cyberespionage campaign carried out by the Bronze President. The threat group used one of the PlugX versions tagged Hodur in attacks across East and Southeast Asia, Europe, and Africa, spreading it in a spear-phishing campaign.

The most recent campaign is characterized by the introduction of RAR archive files to distribute malware. When the victim opens a weaponized RAR file, a Windows shortcut (LNK) file that looks like a document is shown. Clicking on this “file” will execute the malware. The attacks were documented in June and July 2022.

There is no silver bullet when it comes to modern security threats. SOC professionals need the best-in-class solutions designed to help timely identify threats before attackers set up persistence mechanisms, steal data, or inject payloads. To stay ahead of emerging threats and empower your SOC operations, get a subscription to Threat Detection Marketplace. The TDM is a one-stop shop for all relevant cross-vendor and cross-tool SOC content tailored to 25 market-leading SIEM, EDR, and XDR technologies. The content is continuously enriched with additional threat context, as well as checked for impact, efficiency, false positives, and other operational considerations through a series of quality assurance audits.


Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts