Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

    PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

    Unfortunately, many applications – old and even new ones – still contain this vulnerability.
    The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

    Below are some of the malware that use various normal files to load its malicious components:


    • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
    • loads hha.dll, which then loads hha.dll.bak
    • both files are also detected as BKDR_PLUGX.DMI


    • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
    • loads CommFunc.dll, which then loads CommFunc.jax
    • both two files are also detected as BKDR_PLUGX.AI


    • uses Mc.exe which is a legitimate McAfee file
    • loads McUtil.dll, which then loads McUtil.dll.url
    • both files are also detected as BKDR_PLUGX.AQT
    • connects to the fake anti-malware site vip.{BLOCKED}

    Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:


    Figure 1. Screenshot of PlugX code snippet

    Once the initial .DLL is loaded by the application, it gets the filepath and then appends the second extension (.url), which is an attempt to avoid antimalware detection. The new filepath is then opened using the API CreateFile. If successful, it then allocates a space in the memory where the contents of the encrypted component will be placed. The encrypted code will then be finally called via “call EBX” or any registry depending on the variant.

    Most of these variants appear to be in Asia, particularly China, Japan, and Taiwan. Trend Micro products detect the PlugX variants mentioned in this blog entry.

    During the first quarter of this year, we already reported notable malware incorporated with evasion methods. Though these efforts to evade antimalware scanning are not in itself groundbreaking, this development in PlugX suggests our prediction that this year’s threat landscape is likely to be defined by attackers ducking security researchers instead of creating new threats.

    With additional analysis from Threat Researcher Abraham Camba.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Hayton

      The file “mc.exe” is not a McAfee file, as far as I know. There is an “mc.exe” in Windows, which is the Message Compiler and is part of Event Log tools.

      • TrendLabs

        Hi Hayton,

        While the file is named “mc.exe”, based on the file properties its original name was “mcoemcpy.exe”.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice