Hodur Malware

A previously unknown malware has been used in an attack campaign attributed to the Mustang Panda APT (Advanced Persistent Threat) group. The cybercrime group is also known as TA416, RedDelta, or PKPLUG. This new addition to its threatening arsenal has been named Hodur by the researchers who uncovered the attack operation and analyzed the malware threat. According to their report, Hodur is a variant based on the Korplug RAT malware. Furthermore, it bears a significant resemblance to another Korplug variant known as THOR, which was first documented by Unit 42 back in 2020.

Attack Campaign

The operation deploying the Hodur threat is believed to have started around August 2021. It follows the typical Mustang Panda TTPs (Tactics, Techniques, and Procedures). Victims of the attack have been identified in multiple countries spread across several continents. Infected machines have been identified in Mongolia, Vietnam, Russia, Greece and other countries. The targets were entities associated with European diplomatic missions, Internet Service Providers (ISPs) and research organizations.

The initial infection vector involved the dissemination of lure documents that take advantage of current global events. Indeed, Mustang Panda is still demonstrating its ability to quickly update their decoy documents to exploit any significant event. The group was discovered using an EU regulation regarding COVID-19 mere two weeks after it was enacted and documents about the war in Ukraine were deployed just days after the surprise Russian invasion of the country.

Threatening Capabilities

It should be noted that the hackers have set up anti-analysis techniques, as well as control-flow obfuscation at every stage of the malware deployment process, a characteristic rarely seen in other attack campaigns. The Hodur malware is initiated via a custom loader, exhibiting the hackers' continued focus on iteration and creation of new threatening tools.

The Hodur malware, once fully deployed, can recognize two large groups of commands. The first one consists of 7 distinct commands and is mostly concerned with executing the malware and the initial reconnaissance and data-gathering performed on the breached device. The second command group is much larger with nearly 20 different commands related to the threat's RAT capabilities. The hackers can instruct Hodur to list all mapped drives on the system or the contents of a specific directory, open or write files, execute commands on a hidden desktop, open a remote cmd.exe session and execute commands, locate files matching a provided pattern and more.