top of page
Buscar

UNC6384 Deploys PlugX via Captive Portal Hijacks

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 26 ago
  • 3 Min. de lectura
ree


China-nexus group UNC6384 has been linked to a sophisticated campaign against diplomats in Southeast Asia and beyond. The operation blends captive portal hijacks, valid TLS certificates, and a digitally signed downloader to trick targets into installing a malicious loader. From there, DLL side-loading enables the stealthy, in-memory deployment of PlugX (SOGU.SEC), a backdoor with a long espionage history. The phases below show how deception, stealth, and payload come together into an effective cyber-espionage chain.


Phase 1: The Deception and Delivery 


The campaign begins with a redirection trick built into public networks.

  • AitM Captive Portal Redirect: When a victim connects through hotel or airport Wi-Fi, their browser checks connectivity by contacting www.gstatic[.]com/generate_204. Attackers hijack this process with an Adversary-in-the-Middle (AiTM), redirecting the user from the captive portal to an attacker-controlled page.

  • Fake Update Site with Valid TLS Certificate: The victim is sent to a lookalike update site masquerading as an Adobe plugin update page. It uses HTTPS with a valid Let’s Encrypt certificate, making it appear secure and legitimate.

  • Self-Downloading Gadget – STATICPLUGIN: The victim is tricked into downloading an executable called AdobePlugins.exe (STATICPLUGIN) from mediareleaseupdates[.]com. Framed as a benign update, it is actually the staged loader for the malware chain.


Phase 2: Stealthy Execution and Malware Deployment 


Once the victim runs the “update,” the stealth techniques begin.

  • Signed with GlobalSign: STATICPLUGIN is digitally signed with a certificate issued by GlobalSign to Chengdu Nuoxin Times Technology Co., Ltd.. This valid signature helps bypass reputation checks and security controls.

  • DLL Side-loading: STATICPLUGIN retrieves an MSI that abuses the Canon IJ Printer Assistant Tool (cnmpaui.exe) to side-load a malicious DLL named CANONSTAGER (cnmpaui.dll). By exploiting a trusted binary, the malicious code runs under the guise of a legitimate program.

  • Deploy PlugX (SOGU.SEC) in Memory: CANONSTAGER injects PlugX directly into system memory. This avoids dropping files to disk, making it highly evasive and difficult for endpoint defenses to detect or analyze.


Phase 3: The Malicious Payload 


The endgame is full control of the victim’s machine.

PlugX (also called Korplug or SOGU) is now active in memory. This remote access trojan (RAT), long used by Chinese espionage groups, provides a powerful toolkit:

  • Remote shells: Execute commands on the victim’s system.

  • Keylogging: Capture every keystroke to steal passwords and sensitive text.

  • File theft: Steal documents, system data, and other files of interest.

  • Data exfiltration: Covertly send credentials, communications, and files back to the attacker’s servers.

  • Plugin extensions: Expand its functionality with modular add-ons to adapt to different missions.

PlugX has been a mainstay of PRC-linked operations since at least 2008 and remains a go-to backdoor for long-term espionage. UNC6384’s use of captive portals, valid certificates, and stealthy execution highlights how these groups continue to innovate in advancing state-aligned intelligence goals.


Measures to fend off 


  • Treat captive portal Wi-Fi as hostile: Use VPNs with always-on enforcement or prefer cellular hotspots when traveling.

  • Never trust “update” prompts from portals: Always download software directly from the vendor’s official website.

  • Certificate transparency monitoring: Track new certificates for suspicious domains that mimic updates or plugins.

  • Harden edge devices: Patch, monitor, and audit network appliances to prevent them being leveraged for AiTM redirection.

  • Detect side-loading abuse: Monitor execution of binaries like Canon IJ Tool loading unexpected DLLs from user paths.

  • Memory hunting: Hunt for anomalous memory injection behaviors and long-lived threads in signed processes.

  • Network filtering: Block known malicious domains such as mediareleaseupdates[.]com and monitor for unusual outbound traffic patterns.

  • Restrict USB propagation: Disable autorun and enforce scanning to mitigate PlugX’s secondary spread vector.

  • Incident response readiness: On suspected PlugX compromise, isolate the host, collect volatile evidence, revoke compromised credentials, and reimage from a clean baseline.



 
 
 

Comentarios

bottom of page