How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking blog.talosintelligence.com/how-rainy…

Cisco Talos has identified an ongoing campaign targeting the telecommunications and manufacturing sectors in Central and South Asian countries. Based on our analysis of collected evidence, we assess with medium confidence that this campaign can be attributed to Naikon, an active Chinese-speaking threat actor that has been operating since 2010. This assessment is based on analysis of the PlugX configuration format used during this campaign as well as the malware infection chain involved, which was very similar to their previous malware, RainyDay.

During the investigation and hunting efforts for RainyDay backdoors, Talos uncovered two significant findings. First, we found that several instances of the Turian backdoor and newly identified variants of the PlugX backdoor were abusing the same legitimate Mobile Popup Application as RainyDay to load themselves into memory. Second, we observed that the three malware families leverage loaders which not only have a similar XOR decryption function but also use the same RC4 key to decrypt the encrypted payload. Although we did not observe any activity associated with RainyDay or Turian during this campaign, this finding enables us to make assessments regarding attribution.