Talisman is a potent RAT (Remote Access Trojan) that has been seen as part of the threatening arsenal of what are believed to be Chinese-backed cyberespionage groups. The threat was created by using the source code of the infamous PlugX malware and is molded to fit the particular needs of the threat actors. It operates by following a similar execution flow that involves abusing a signed and harmless binary, which is forced to load a viciously-modified DLL to execute as shellcode. In turn, the shellcode will proceed to decrypt the malware. Once established on the breached devices, Talisman will provide backdoor access to it.
Talisman also retains the plug-in capabilities expected from a PlugX variant. Some of the plug-ins that are deemed essential by the cybercriminals are embedded into the threat by default. Some of the identified plug-ins were revealed in a report by the US CISA agency and include Disk, Nethood, Netstat, Option, PortMap, RegEdit, Service, Shell, SQL and Telnet. The functions of each plug-in match its name.
So far, Talisman has been observed as part of several attack campaigns. Researchers tracked a threatening operation targeting South Asian entities operating in the telecom and defense sectors. The attack has been attributed to a cybercrime group known as Nomad Panda or RedFoxtrot. More recently, security researchers caught another Chinese-aligned hacker collective again aimed at targets from the telecommunication sector, but this time located in Central Asia. This particular campaign has been attributed to a threat actor tracked as 'Moshen Dragon.' It should be pointed out that some overlap has been established between the TTPs (Tactics, techniques and procedures) of Moshen Dragon and RedFoxtrot.