A current cyberespionage attack using Hodur was discovered through an analysis of a previously known variant of the PlugX remote access trojan. The said espionage campaign has been active since August last year and is related to the Mustang advanced persistent threat group based in China.
The new PlugX RAT is called Hodur as it is weirdly like another variant (THOR) of the earlier mentioned RAT. The researchers named the variant Hodur since the other variant is called Thor, which are brothers in the Norse myth.
The latest espionage attack activates an attack chain of decoy documents that constantly updates itself for news trends in the Russian/Ukraine geopolitical conflict and European news.
The phishing baits of this attack include a regional guide map of European countries, Regulations of the European Parliament Council website, and the latest COVID-19 travel restrictions and protocols.
Researchers indicated that one of its primary baits is a legitimate document taken and drafted by the threat actors from the European Council website. The infection concludes after successfully deploying the Hodur backdoor on the targeted Windows OS.
Hodur has a coterie of targets from several countries.
Most of Hodur’s targeted victims hail from East and Southeast Asia and European countries, including Russia, Cyprus, and Greece. The backdoor also targets regions in Africa, which includes several nations like South Africa, Sudan, and South Sudan.
Researchers also explained that the targeted sectors of the Hodur campaign are ISPs, research entities, and European diplomatic missions based in East Asia and SEA.
This recently identified PlugX variant is constructed on Korplug, which numerous APT groups abuse. In addition, the RAT feature of this variant utilised by the Chinese threat groups in the ongoing campaign is mostly from previous Korplug strains. However, the Hodur variant has some tweaks and additional instructions and behaviours.
Experts pointed out that Hodur can operate several commands, allowing the implant to gather extensive system details, run commands, identify, and code arbitrary files, and deploy a remote cmd[.]exe session.
Mustang Panda is quick on its feet in adopting current affairs, conflicts, and trends as baits. The group actively fortifies Hodur’s tricks, techniques, and procedures to maximise the variant’s potential. Experts said that firms and organisations need to have a multi-layered security solution for mitigating the infection chances from Hodur.