Security researchers discovered a new malware distributed in a still-ongoing malicious campaign, called Hodur. The malware is similar to a previous malware, called Thor, and had been attributed to the Chinese Mustang Panda threat group.
Hodur Backdoor Malware Campaign: What Is Known So Far
The Mustang Panda threat actors were first detected in campaigns in 2019, distributing various macro-infected documents. The attacks were global and were not limited only to China. What we know is that the group originally started to spread malware in 2018, but then upgraded their tactics to include new procedures. Some of the 2019 attacks included China Center (non-profit organization), Vietnam political party and residents from Southeast Asia.
As for the latest Hodur malware campaign, it is still ongoing and was probably initiated in August 2021.
Research entities, internet service providers, and European diplomatic missions have been targeted so far, according to ESET researchers. The hackers are once again using infected documents to trick users into infecting, related to current events in Europe, such as the war in Ukraine and Covid-19. It is noteworthy that every stage of the infection uses anti-analysis techniques and control-flow obfuscation, which hasn’t been used in previous campaigns by this threat actor.
The list of affected countries includes Mongolia, Vietnam, Myanmar, Greece, Russia, Cyprus, South Sudan, and South Africa. The threat actors are using custom loaders for shared malware, such as Cobalt Strike and Korplug malware.
The Hodur campaign is based on a legitimate, validly signed, executable prone to DLL search-order hijacking, a malicious DLL, and an encrypted malware, which are deployed on the victim’s system. The executable loads the module, which then decrypts and executes the Korplug RAT. In some cases, a downloader is initially used to distribute these files along with a fake document, the researchers noted. The infection chain ends with the deployment of the Hodur backdoor on the compromised machine.
The backdoor is capable of carrying out a number of commands, making it possible for the implant to collect extensive system details, read and write arbitrary files, execute commands, and launch a remote cmd.exe session.