UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

Key Takeaways

• UNC6384 rapidly weaponized the ZDI-CAN-25373 Windows shortcut vulnerability within six months of its disclosure.
• The campaign targets European diplomatic entities using highly authentic conference and meeting themes as spearphishing lures.
• The attack chain utilizes DLL side-loading of a legitimately signed Canon printer utility (cnmpaui.exe) to evade detection.
• The CanonStager loader has evolved significantly, reducing in size from 700KB to 4KB to minimize its forensic footprint.
• The ultimate payload is a memory-resident variant of the PlugX RAT (SOGU.SEC) used for persistent intelligence collection.

Affected Systems

• Windows OS

Vulnerabilities (CVEs)

• ZDI-CAN-25373

Attack Chain

The attack begins with spearphishing emails delivering malicious LNK files that exploit the ZDI-CAN-25373 vulnerability. Upon execution, obfuscated PowerShell extracts a TAR archive containing a legitimate Canon printer utility, a malicious DLL loader (CanonStager), and an encrypted PlugX payload. The legitimate executable is launched, triggering DLL side-loading of the malicious loader, which decrypts and executes PlugX in memory. PlugX establishes persistence via a Registry Run key and communicates with C2 infrastructure over HTTPS for intelligence collection.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Arctic Wolf Labs

The article provides YARA rules to detect the PlugX RAT variant, the CanonStager DLL loader, and malicious LNK files exploiting the ZDI-CAN-25373 vulnerability.

Detection Engineering Assessment

EDR Visibility: Medium — While initial LNK execution and PowerShell commands are highly visible, the use of DLL side-loading via a legitimately signed Canon binary and in-memory execution of PlugX may bypass some behavioral detections. Network Visibility: Medium — C2 traffic uses standard HTTPS over port 443, blending in with normal web traffic, though the specific URL parameters and hardcoded User-Agent string offer detection opportunities. Detection Difficulty: Hard — The threat actor uses a recently disclosed vulnerability, signed binaries for execution, heavy obfuscation (control-flow flattening), and in-memory payload execution, making static and basic behavioral detection difficult.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Modifications (Sysmon 12/13/14)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for instances of cnmpaui.exe executing from unusual directories such as AppData\Roaming or AppData\Local\Temp, which may indicate DLL side-loading.	Process Creation, File Creation	Execution / Defense Evasion	Low
Search for PowerShell processes spawned by Windows Explorer or LNK files that subsequently execute tar.exe to extract files.	Process Creation	Execution	Low
Monitor for the creation of registry Run keys containing paths to cnmpaui.exe in hidden or unusual user profile directories.	Registry Modifications	Persistence	Low
Identify network connections made by cnmpaui.exe to external IP addresses over port 443, as the legitimate printer utility should not typically exhibit this behavior.	Network Connections	Command and Control	Low

Control Gaps

• Lack of official patch for the ZDI-CAN-25373 vulnerability.
• Windows trust in expired code signing certificates if they possess a valid timestamp.

Key Behavioral Indicators

• Execution of cnmpaui.exe from non-standard paths.
• Presence of cnmpaui.dll and cnmplog.dat in the same directory as cnmpaui.exe.
• Specific hardcoded User-Agent string: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Deactivate automatic resolution of .lnk files in Windows Explorer to mitigate the unpatched ZDI-CAN-25373 vulnerability.
• Block access to identified C2 domains and delivery infrastructure URLs at network perimeters.

Infrastructure Hardening

• Implement application control to restrict the execution of unknown or unapproved binaries, even if they are digitally signed.
• Restrict the use of native utilities like tar.exe and powershell.exe by standard users where possible.

User Protection

• Deploy EDR solutions configured to monitor for DLL side-loading and unusual process ancestry.
• Hunt for the presence of cnmpaui.exe in user profile directories across all endpoints.

Security Awareness

• Conduct security awareness training focused on identifying sophisticated spearphishing lures, particularly those using authentic-looking diplomatic or conference themes.

MITRE ATT&CK Mapping

• T1587.001 - Develop Capabilities: Malware
• T1608.001 - Stage Capabilities: Upload Malware
• T1566.001 - Phishing: Spearphishing Attachment
• T1189 - Drive-by Compromise
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1204.002 - User Execution: Malicious File
• T1106 - Native API
• T1129 - Shared Modules
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1027 - Obfuscated Files or Information
• T1027.009 - Obfuscated Files or Information: Embedded Payloads
• T1055 - Process Injection
• T1140 - Deobfuscate/Decode Files or Information
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1218 - System Binary Proxy Execution
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1553.002 - Subvert Trust Controls: Code Signing
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1057 - Process Discovery
• T1012 - Query Registry
• T1071.001 - Application Layer Protocol: Web Protocols
• T1573.001 - Encrypted Channel: Symmetric Cryptography
• T1132.001 - Data Encoding: Standard Encoding
• T1001.003 - Data Obfuscation: Protocol Impersonation
• T1105 - Ingress Tool Transfer
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Domains:
  • naturadeco[[.]]net - Overlapping C2 infrastructure used for Serbian government targeting.
  • cseconline[[.]]org - Overlapping C2 infrastructure used for Belgian targeting.
  • vnptgroup[[.]]it[.]com - Overlapping C2 infrastructure used for Italian targeting.
  • paquimetro[[.]]net - Earlier campaign C2 infrastructure.
  • mydownload[.]z29[[.]]web[.]core[.]windows[[.]]net - Malware delivery infrastructure.
  • mydownloadfile[[.]]z7[.]web[.]core[.]windows[[.]]net - Malware delivery infrastructure.
  • mydownfile[[.]]z11[.]web[.]core[.]windows[[.]]net - Malware delivery infrastructure.
  • d32tpl7xt7175h[[.]]cloudfront[[.]]net - CloudFront domain used for delivering JavaScript and payloads.
• Urls:
  • http[:]//d32tpl7xt7175h[.]cloudfront[.]net/XgPK9CpZENdh - In-the-wild URL hosting malicious JavaScript delivery script.
• File Hashes:
  • 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 (SHA256) - Legitimate signed Canon binary (cnmpaui.exe) abused for DLL side-loading.
  • 3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f (SHA256) - Decrypted PlugX malware payload.
  • 7168838787039d82961836e5f2f9c70f3fe7c4d99a6c7c61405b3364ce37e760 (SHA256) - TAR archive (rjnlzlkfe.ta) containing the side-loading components.
  • c3b7abcb583b90559af973dd18bf5ccba48d3323e5e2e8bc0b11ff54425e34dd (SHA256) - JavaScript delivery script (XgPK9CpZENdh.js).
  • 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300 (SHA256) - HTA delivery file (No.4638.hta).
• Registry Keys:
  • Software\CLASSES\ms-pu - Registry key queried by PlugX.
  • Software\Microsoft\Windows\CurrentVersion\InternetSetting - Registry key queried by PlugX for proxy settings.
  • Software\Microsoft\Internet Explorer\Version Vector - Registry key queried by PlugX for IE version.
• File Paths:
  • C:\Users\[Username]\AppData\Roaming\SamsungDriver\cnmpaui.exe - Example persistence path for the copied Canon executable.
  • C:\Users\[Username]\AppData\Roaming\Intelnet* - Potential hidden directory created by malware for persistence.
  • C:\Users\[Username]\AppData\Roaming\VirtualFile* - Potential hidden directory created by malware for persistence.
  • C:\Users\[Username]\AppData\Roaming\SecurityScan* - Potential hidden directory created by malware for persistence.
  • C:\Users\[Username]\AppData\Roaming\DellSetupFiles* - Potential hidden directory created by malware for persistence.
  • C:\Users\[Username]\AppData\Local\Temp\rjnlzlkfe.ta - Path where the initial TAR archive is dropped.
• Command Lines:
  • Purpose: Extract the dropped TAR archive containing the DLL side-loading components. | Tools: tar.exe | Stage: Execution/Extraction | tar.exe -xvf
• Other:
  • uUbAmgDu - Mutex created by PlugX (Sample 1).
  • esUdgquBv - Mutex created by PlugX (Sample 2).
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) - Hardcoded User-Agent string used by PlugX for C2 communication.