Telecommunications and manufacturing organizations across Central and South Asia have been targeted by a new attack campaign spreading the RainyDay and Turian backdoors, as well as a novel PlugX malware variant, which leverages DLL search order hijacking to run illicit loaders, Cyber Security News reports.Abusing Windows DLL search order flaws has been conducted by RainyDay, Turian, and the PlugX variant to take over the application loading process and execute code that would run the malicious DLL loader, a report from Cisco Talos revealed.Researchers said that loading the nefarious DLL through a legitimate process provides an execution context that would better conceal malicious activity from security systems.All of the discovered payloads, which have been linked to the Naikon and BackdoorDiplomacy groups, were discovered to not only use the GetModuleFileNameA API for executable path acquisition and encrypted data reading, but also the same RC4 encryption keys and XOR-RC4-RtlDecompressBuffer decryption algorithm.
