TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates

Close analysis of delivered payloads and legitimate resources retrieved from URLs by the first-stage malware dropper reveals that TA416 continues to evolve its methods. The group is now using an updated version of PlugX malware to target victims. This development highlights their persistent reliance on DLL search order hijacking techniques and their ability to adapt their tools for obfuscation and anti-analysis.

Leveraging Legitimate Files for DLL Search Order Hijacking

Historically, TA416 has utilized legitimate antivirus files, such as Avast’s wsc_proxy.exe, to initiate the process of DLL search order hijacking for PlugX malware installation.

In the January 2022 campaigns, the group introduced a new method, using the legitimate executable potplayermini.exe from the media player Daum PotPlayer (version 1.5.29825). This file has been susceptible to search order hijacking since at least 2016 and has been previously exploited by numerous Chinese APT groups.

Campaign-Specific Tactics

• Exploitation of PotPlayerDB.dat: The attackers leveraged potplayermini.exe to load the file PotPlayer.dll, which contains an obfuscated launcher for executing the PlugX variant stored in PotPlayerDB.dat.
• Alternative Loader: The file DocConvDll.dll was intermittently used to load PlugX’s DAT configuration files, further diversifying the group’s tactics.

This technique mirrors the Trident Loader method, a hallmark of TA416’s historical PlugX deployment strategies.

Advancements in PlugX Malware Payload

Updated Encoding and Configuration

The new PlugX variant introduced by TA416 includes significant updates:

• New Encoding Methods: The group replaced their traditional XOR-based decoding approach with a more convoluted method that reduces dependencies.
• Expanded Configuration Capabilities: The updated payload provides greater flexibility and obfuscation, complicating analysis.

Obfuscation and API Resolution

TA416 has enhanced PlugX’s obfuscation techniques to thwart detection and analysis:

• The malware now resolves API functions during runtime, specifically focusing on resolving GetProcAddress and LoadLibrary addresses.
• Instead of relying on standard API hashing, the malware performs these actions in a way that complicates traditional analysis methods.

Obfuscation Through State Machine Logic

One of the standout features of the updated PlugX malware is the use of a state machine to obfuscate its core functionality:

• State-Based Logic Execution: The malware maintains a state variable with numerous comparisons within its functions. After executing a block, the state variable is updated to dictate the next block, making static analysis challenging.
• Dynamic XOR Operations: After each iteration of the state machine, the state variable is modified via a XOR operation, ensuring that states are not hardcoded and are dependent on runtime conditions.

These techniques collectively obscure the malware’s execution order and hinder analysts from identifying its “business logic.”

Anti-Analysis Techniques

TA416 has further fortified PlugX with additional anti-analysis mechanisms:

• Dynamic State Modification: By dynamically modifying states during execution, the malware makes reverse engineering difficult.
• Concealed Logic: Most of the payload’s core functions are obfuscated, requiring advanced techniques to unravel the malware’s operations.

Conclusion

TA416’s recent campaigns demonstrate their continued reliance on DLL search order hijacking and their ability to innovate within their malware arsenal. The group’s updated version of PlugX malware introduces new obfuscation strategies, expanded configuration capabilities, and robust anti-analysis techniques, posing significant challenges to defenders.

By leveraging legitimate files like potplayermini.exe and incorporating advanced obfuscation methods such as state machine logic, TA416 showcases their adaptability and persistence in executing targeted campaigns.

To counter such threats, organizations must adopt advanced threat detection and analysis capabilities, focusing on identifying anomalous activity tied to legitimate processes.