Delaware, USA – October 10, 2019 – The National Cybersecurity Agency of France (ANSSI) published two reports on cyberattacks targeted at service providers, design offices, government bodies, and other strategic entities. The first report reveals details about separate attacks on service providers and design offices, in one of which attackers use mainly the PlugX backdoor. PlugX backdoor trojan is used mainly by Chinese cyberespionage groups and due to the increased activity of numerous “Panda” APTs, it can be assumed that at least part of the attacks are carried out from China. In other attacks, adversaries use legitimate tools and their primary goal is stealing credentials, so researchers are struggling to attribute them.
The second report of ANSSI is focused on large-scale phishing attacks targeted at the government sector. Researchers discovered that some infrastructure used during these campaigns and technical elements were used in previous campaigns by the North Korean APT group Kimsuky active at least from 2013. Cyberspies attack diplomatic entities, country officials and think tanks using spearphishing emails and phishing websites for credentials gathering.
Content available on Threat Detection Marketplace to detect PlugX backdoor trojan:
Executable used by PlugX in Uncommon Location – Sysmon Version – https://tdm.socprime.com/tdm/info/2155/
Executable used by PlugX in Uncommon Location – https://tdm.socprime.com/tdm/info/1026/
APT PLUGX Yara rues – https://tdm.socprime.com/tdm/info/1760/
APT WIN PLUGX Yara rues – https://tdm.socprime.com/tdm/info/1976/