Three sophisticated malware families have emerged as significant threats to telecommunications and manufacturing sectors across Central and South Asia, representing a coordinated campaign that exploits legitimate system processes to deliver powerful backdoor capabilities.
RainyDay, Turian, and a new variant of PlugX have been systematically abusing DLL search order hijacking techniques to execute malicious loaders, establishing persistent footholds within targeted networks since 2022.
The convergence of these malware families reveals a sophisticated operation that leverages shared infrastructure and methodologies, suggesting potential collaboration between previously distinct threat actors.
All three malware variants exploit the same legitimate Mobile Popup Application for DLL sideloading, employ identical RC4 encryption keys, and utilize the XOR-RC4-RtlDecompressBuffer algorithm for payload decryption.
This technical overlap indicates either shared development resources or coordinated distribution among the operating groups.
The campaign primarily targets organizations within the telecommunications and manufacturing sectors, focusing on countries throughout Central and South Asia.
The strategic selection of these industries and geographic regions aligns with espionage objectives, particularly given the critical infrastructure and sensitive communications these sectors handle.
Comparison between the Naikon and the BackdoorDiplomacy by using the diamond model (Source – Cisco Talos)
The sustained nature of the campaign, active since at least 2022 with some components tracing back to 2016, demonstrates the persistent and patient approach characteristic of advanced persistent threat operations.
Cisco Talos analysts identified this campaign through extensive hunting efforts that revealed the interconnected nature of these seemingly separate malware families.
The discovery emerged during investigations into RainyDay backdoor activities, where researchers uncovered the shared abuse of legitimate applications and consistent encryption methodologies across all three families.
This finding enabled attribution assessments linking the activities to known threat groups, specifically Naikon and potentially BackdoorDiplomacy.
The technical sophistication of these attacks extends beyond simple malware deployment, incorporating advanced evasion techniques and persistence mechanisms that allow for long-term network compromise.
Keylogger components embedded within the PlugX variant have demonstrated successful persistence spanning nearly two years in victim environments, highlighting the effectiveness of these tools in maintaining covert access.
The malware families share not only technical implementation similarities but also targeting patterns and operational methodologies that suggest coordinated planning and execution.
DLL Search Order Hijacking Exploitation Mechanism
The core infection mechanism employed by RainyDay, Turian, and the PlugX variant centers on exploiting Windows DLL search order vulnerabilities to achieve code execution through legitimate processes.
RainyDay malware flow (Source – Cisco Talos)
This technique involves placing malicious DLL files in locations where Windows will load them instead of legitimate libraries, effectively hijacking the normal application loading process.
The malware families achieve this by abusing legitimate applications, specifically targeting the Mobile Popup Application as their primary vehicle for DLL sideloading operations.
When these legitimate applications attempt to load required DLL files, the Windows loader follows a predetermined search order to locate the necessary libraries.
The attackers exploit this behavior by placing their malicious DLL loaders in directories that are searched before the legitimate library locations.
Once the malicious DLL is loaded by the legitimate process, it gains execution context within a trusted application, allowing it to operate with reduced suspicion from security monitoring systems.
The technical implementation involves three distinct loader files, each corresponding to their respective malware families.
New PlugX variant malware flow (Source – Cisco Talos)
The RainyDay loader targets and decrypts data from “rdmin.src” files, while the PlugX variant processes “Mcsitesdvisor.afx” files, and Turian handles “winslivation.dat” files.
Each loader utilizes XOR encryption as the initial decryption layer before proceeding to more complex payload processing stages.
The shared codebase among these loaders reveals sophisticated development coordination, with all three implementations using the GetModuleFileNameA API to obtain executable paths and reading encrypted data from hardcoded filenames within the infection directory.
The decrypted shellcode follows identical formatting standards, containing RC4-encrypted and LZNT1-compressed data that undergoes a multi-stage unpacking process.
This process ultimately deploys the final malware payload into memory through CALL or JMP instruction execution.
Analysis of Program Database (PDB) paths embedded within the loader samples provides insight into the development process and naming conventions used by the threat actors.
Turian malware flow (Source – Cisco Talos)
The Turian loader contains paths referencing “icmpsh-master” with Chinese text translating to “provide web version,” suggesting modifications for web-based command and control infrastructure.
These technical artifacts demonstrate the methodical approach taken in developing and customizing these tools for specific operational requirements, while maintaining shared functionality across the different malware families.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Source: cybersecuritynews.com
