Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for such attacks.

    The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since (at least) February 2008.

    The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that PlugX was distributed mainly to government-related organizations and a specific corporation in Japan.

    Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear phishing emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of PlugX aimed at a South Korean Internet company and a U.S. engineering firm.

    Poison Ivy and PLUGX C&C Servers: A Relationship in Bloom

    During our monitoring, we initially saw a PlugX variant that connects to a command and control (C&C) server named {BLOCKED} Using historical data, we identified that this is a notoriously known Poison Ivy C&C. Using the IP address that {BLOCKED} resolved to, we mapped out several C&Cs under its domain. These C&Cs appeared to be have been used by Poison Ivy and PlugX variants.

    The diagram below shows the relationships between the resolved IP address, C&C domains, RAT variants and the dates when these RATs were distributed. Note that for the older variants, we used the earliest date estimate of their appearance.

    In the above diagram, we can see that though the campaign now uses the new PlugX RAT, they are still distributing this parallel to older, more stable Poison Ivy variants. Because its variants drop a debug log file in %System Root%Documents and SettingsAll UsersSxSbug.log, we also suspect that PlugX may be still in its beta stages. This log file records possible errors in the RAT’s code, which may later be uploaded to the attackers’ C&C server for auditing.

    While custom-made RATs developed for targeted attacks are not new, we can see that the people behind PlugX are already distributing the RAT despite being it being in beta. Being malicious actors that have been around since 2008, they may be onto something. It is possible that they will utilize their targets’ machines to improve their RAT for future, more troublesome campaigns.

    Unfortunately, errors in the beta RAT’s code may cause unintended consequences for both attackers and any targeted organizations. For example, files being accessed could become accidentally corrupted, causing significant amounts of data to be lost.

    Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX) and Poison Ivy (BDKR_POISON) variants. Web reputation and email reputation services blocks access to the said C&C and related email respectively.

    Trend Micro will continue to monitor PlugX’s development and the campaign behind it.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice