PlugX is a remote access trojan (RAT) first identified in 2012 that targeted government institutions. It is similar to the Poison Ivy malware, allowing remote users to perform data theft or take control of the affected systems without permission or authorization.
Is korplug a remote access trojan?
There are a number of articles recently written about a Remote Access Trojan called PlugX or Korplug (with older variants known as Sogu, Thoper, TVT, or Destory RAT ) which has recently seen increasing use in targeted attacks. These articles: This article is our contribution to the publicly available knowledge about:
What is the PlugX malware?
It utilizes shared malware like Poison Ivy, PlugX and Cobalt Strike payloads in order to gather intelligence. Since 2008, PlugX as a RAT (Remote Access Trojan) malware family has been used as a backdoor to control the victim’s machine fully.
What is the “PlugX” variant?
In August 2015, researchers at Airbus discovered a new variant of the “original” PlugX. This variant utilized a fourth file in the initial installation of the RAT. This file, also embedded in the SFX RAR, is a small executable file that provides an additional execution method of the main binary.
What is the PlugX peer-to-peer virus?
In the beginning of 2015, researchers from JPCERT reported on a variant of PlugX that added peer-to-peer (P2P) functionality, allowing the malware to communicate with other infected hosts on the local network.
What is poison ivy malware?
The Poison Ivy trojan is a remote access trojan (RAT) that was first identified in 2005 and has continued to make headlines throughout the years. In 2011, it was used in the "Nitro" campaign that targeted government organizations, chemical manufacturers, human rights groups, and defense contractors.
What is the main purpose of malware?
The purpose of malware is to intrude on a machine for a variety of reasons. From theft of financial details, to sensitive corporate or personal information, malware is best avoided, for even if it has no malicious purpose at present, it could well have so at some point in the future.
How do I detect malware on my network?
To detect a network virus a network administrator needs to scan network traffic with a packet sniffer or intrusion detection tool to detect malicious packets and other suspicious activities.
How do you know if you have malware?
How can I tell if my Android device has malware?...How can I tell if I have a malware infection?Your computer slows down. ... Your screen is inundated with annoying ads. ... Your system crashes. ... You notice a mysterious loss of disk space. ... There's a weird increase in your system's Internet activity. ... Your browser settings change.More items...
What is the malware called?
malicious softwareMalware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware.
What is malware and examples?
Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. Types of malware include computer viruses, worms, Trojan horses, ransomware and spyware.
What is the difference between malware and virus?
Often used interchangeably, the terms malware and virus have two distinct meanings. Malware, or malicious software, is an overarching term used to describe any program or code that is created with the intent to do harm to a computer, network or server. A virus, on the other hand, is a type of malware.
What is PlugX's main function?
Some of the primary capabilities/functions of PlugX include management of system and personal files, applications, connected hardware, data exfiltration/infiltration and keylogging. It can control the operating system: restart/reboot it and log-off the current user.
What is the PlugX RAT?
PlugX is a Remote Access Trojan (RAT). Malware under this classification grants cyber criminals remote access and control over the infected device. It has been observed targeting Afghan, American, Russian, Belorussian, Tajikistani, Kazakhstani, and Kyrgyzstani users.
What happens if PlugX RAT is infected?
In summary, PlugX RAT can result in serious financial loss, privacy issues and identity theft. If this, or similar, malware has already infected the system, remove it immediately using an anti-virus program.
What is PlugX keylogging?
PlugX can gather information on running application processes and even terminate them. Keylogging is the capability to record keystrokes.
How do rogue updaters infect systems?
Rogue updaters infect systems by abusing flaws of outdated products and/or simply by installing malware rather than the promised updates. Malicious content can be downloaded inadvertently by people from dubious sources such as unofficial and free file-hosting sites, P2P sharing networks (BitTorrent, Gnutella, eMule, etc.) and other third party downloaders.
Is PlugX a spam?
PlugX has been proliferated using several different spam campaigns. The term "spam campaign" defines large scale operations, during which thousands of deceptive/scam emails are sent. These messages are typically disguised as "official", "urgent", "important", "priority" and so on.
Can PlugX be used to refresh?
Therefore, PlugX can obtain this data, also refresh, rename, delete and otherwise modify it.
What is PlugX used for?
PlugX was distributed via spear-phishing emails that included maliciously crafted RTF documents and self-extracting RAR archives designed to exploit Microsoft Word vulnerabilities in order to install the malware on targeted systems.
What is the APT10 attack?
In April 2019, China-linked cyber-espionage group APT10 launched a malware attack against government and private organizations in Southeast Asia with two new loaders.
What was the JTB breach?
The data breach was a result of an employee opening a malicious document which he received via a phishing email. The malicious document included the PlugX RAT, which installed the Elirks backdoor trojan, that is designed to steal user information.
What is a remote access Trojan called?
There are a number of articles recently written about a Remote Access Trojan called PlugX or Korplug (with older variants known as Sogu, Thoper, TVT, or Destory RAT ) which has recently seen increasing use in targeted attacks. These articles:
What happens when plugin manager is started?
If the plugin manager (OlProcManager) is started, the C&C is then able to communicate with the chosen plugins.
How many stages does PlugX have?
The communication done by PlugX is encrypted in two stages: to perform the first stage, the malware uses this routine:
Is there any infrastructure intersection with the attacks we witnessed?
However, there does not appear to be any infrastructure intersection with the attacks we witnessed. The attackers using this C&C infrastructure also focus their efforts in Southeast Asia, primarily targeting technology manufacturers, developers, or organizations that deal with them.
Is hccutils.dll.res a PE file?
hccutils.dll.res – not a PE file, but a base-independent code, which consists of a decryptor and an encrypted malicious image. It also contains encrypted settings.
Trojan.PlugX
The most normal channels whereby Trojan.PlugX Trojans are injected are:
Are Your Protected?
GridinSoft Anti-Malware will scan and clean your PC for free in the trial period. The free version offer real-time protection for first 2 days. If you want to be fully protected at all times – I can recommended you to purchase a full version:
What is PlugX malware?
PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.
What is PlugX used for?
Similar to the 2008 campaign, PlugX is often used with another common RAT called Poison Ivy. In 2017, researchers from JPCERT discovered a variant of PlugX that actually had code overlap with Poison Ivy in the form of a hash algorithm. This code was used to obscure the Windows API calls in the binary.
What is Paranoid PlugX?
In June 2017, researchers at Palo Alto Networks released a review of a new PlugX variant they detected on their networks, which they named “Paranoid PlugX.” This variant added several new mechanisms for avoiding security controls and detection, including new methods for determining the C2 server address after execution, new loading methodology, and new methods for avoiding detection on disk. Rather than dropping the executable, loader DLL, and payload to disk, this variant used a Visual Basic (VB) script to perform two attempts to download and execute the code.
Where are PlugX components extracted?
The three PlugX components are extracted from the archive to a temporary directory on the system.
Does PlugX use antivirus?
Although the above sample used an NVIDIA application, many PlugX samples of this variant leveraged applications associated with antivirus or various other security products. Because these executables are signed, legitimate applications, endpoint security products are less likely to flag them. Furthermore, usage of antivirus-related applications can potentially take advantage of product whitelisting on the endpoint.
Is PlugX a P2P?
In the beginning of 2015, researchers from JPCERT reported on a variant of PlugX that added peer-to-peer (P2P) functionality, allowing the malware to communicate with other infected hosts on the local network.
Is PlugX still used today?
Although there have been several variants over the years, an analysis of the timeline of variants discussed demonstrates the “original” PlugX variant continues to be used today. Despite the evolution of PlugX methodologies and techniques, these classic PlugX samples remain successful and are still utilized in adversarial campaigns as a result.
Overview
Avira’s Advanced Threat Research team, has been tracking Mustang Panda APT for a while. According to Avira’s telemetry data, Mustang Panda mostly targets Asia-Pacific (APAC) countries and uses Cobalt or PlugX as payload.
Payload
As explained previously, the payload is executed like a shellcode but surprisingly, it’s a full PE binary. The loader will start the payload from the zero offset of the payload that it means from MZ. The picture below shows a very small crafted shellcode to call the entrypoint.
Conclusion
The Mustang Panda APT actor uses PlugX with minor changes, in an attempt to evade detection. This time, we found new features, new config structure, and loader—which caught our attention.