In our previous post, we reported about new breed of Remote Access Tool (RAT) called PlugX, which was used in targeted attacks using Poison Ivy. At first glance, this RAT appears to be a simple tool with limited remote access capabilities. However, further analysis of PlugX reveals that it might be keeping more tricks up its sleeves.
In a typical attack, PlugX usually comes with the three file components, namely:
- A legitimate file
- A malicious DLL that is loaded by the legitimate file
- A binary file that contains the malicious codes loaded by the DLL.
- All Users’ %User Profile%\Gf\NvSmart.exe – a legitimate NVIDIA file (NVIDIA Smart Maximise Helper Host)
- All Users’ %User Profile%\Gf\NvSmartMax.dll – BKDR_PLUGX.BUT
- All Users’ %User Profile%\Gf\boot.ldr – TROJ_PLUGX.SME
Notice that the malware drops the file NvSmart.exe, which is a known legitimate NVIDIA file.
Digging deeper at what the loaded code does, we can see that it first decrypts itself to form what seems to be an “executable file” in its memory space. All the backdoor modules can be found in this “executable file”.
|PlugX module||Backdoor functions|
|XPlugDisk||Copy, move, rename, delete files|
Get drive information
Get file information
|XPlugKeyLogger||Log keystrokes and active window|
|XPlugNethood||Enumerate TCP and UDP connections|
Enumerate network resources
Set TCP connection state
|XPlugOption||Display a message box|
Log off user
|XPlugPortMap||Perform port mapping|
Get process information
|XPlugRegedit||Enumerate registry keys|
Create registry keys
Delete registry keys
Copy registry keys
Enumerate registry entries
Modify registry entries
Delete registry values
Get service information
|XPlugShell||Perform remote shell|
|XPlugSQL||Connect to a database server and execute a SQL statement|
|XPlugTelnet||Host Telnet server|
Trend Micro users are protected by the Smart Protection NetworkT. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX). Web reputation and email reputation services blocks access to the said C&C and related email respectively. Trend Micro Deep Security users are protected from this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.
Trend Micro will continue to monitor PlugX’s development and the campaign behind it.
Leave a reply