The Latest in IT Security

PlugX: New Tool For a Not So New Campaign

11
Sep
2012

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for this purpose.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that Plugx was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm.

Poison Ivy and PLUGX C&C Servers: A Relationship in Bloom

During our monitoring, we initially saw a PlugX variant that connects to a command and control (C&C) server named eonceo.{BLOCKED}-show.org. Using historical data, we identified that this is a notoriously known Poison Ivy C&C. Using the IP address that eonceo.{BLOCKED}-show.org resolved to, we mapped out several C&Cs under its domain. These C&Cs appeared to be have been used by Poison Ivy and PlugX variants.

The diagram below shows the relationships between the resolved IP address, C&C domains, RAT variants and the dates when these RATs were distributed. Note that for the older variants, we used the earliest date estimate of their appearance.

In the above diagram, we can see that though the campaign now uses the new PlugX RAT, they are still distributing this parallel to older, more stable Poison Ivy variants. Because its variants drop a debug log file in %System Root%\Documents and Settings\All Users\SxS\bug.log, we also suspect that PlugX may be still in its beta stages. This log file records possible errors in the RAT’s code, which may later be uploaded to the attackers’ C&C server for auditing.

While custom-made RATs developed for targeted attacks are not new, we can see that the people behind PlugX are already distributing the RAT despite being it being in beta. Being malicious actors that have been around since 2008, they may be onto something. It is possible that they will utilize their targets’ machines to improve their RAT for future, more troublesome campaigns.

Unfortunately, errors in the beta RAT’s code may cause unintended consequences for both attackers and any targeted organizations. For example, files being accessed could become accidentally corrupted, causing significant amounts of data to be lost.

Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX) and Poison Ivy (BDKR_POISON) variants. Web reputation and email reputation services blocks access to the said C&C and related email respectively.

Trend Micro continues to monitor PlugX’s development and the campaign behind it.

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments