Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for this purpose.
The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since February 2008.
The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that Plugx was distributed mainly to government-related organizations and a specific corporation in Japan.
Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm.
During our monitoring, we initially saw a PlugX variant that connects to a command and control (C&C) server named eonceo.{BLOCKED}-show.org. Using historical data, we identified that this is a notoriously known Poison Ivy C&C. Using the IP address that eonceo.{BLOCKED}-show.org resolved to, we mapped out several C&Cs under its domain. These C&Cs appeared to be have been used by Poison Ivy and PlugX variants.
The diagram below shows the relationships between the resolved IP address, C&C domains, RAT variants and the dates when these RATs were distributed. Note that for the older variants, we used the earliest date estimate of their appearance.
While custom-made RATs developed for targeted attacks are not new, we can see that the people behind PlugX are already distributing the RAT despite being it being in beta. Being malicious actors that have been around since 2008, they may be onto something. It is possible that they will utilize their targets’ machines to improve their RAT for future, more troublesome campaigns.
Unfortunately, errors in the beta RAT’s code may cause unintended consequences for both attackers and any targeted organizations. For example, files being accessed could become accidentally corrupted, causing significant amounts of data to be lost.
Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX) and Poison Ivy (BDKR_POISON) variants. Web reputation and email reputation services blocks access to the said C&C and related email respectively.
Trend Micro continues to monitor PlugX’s development and the campaign behind it.
Leave a reply
