www.trendmicro.com
Open in
urlscan Pro
104.87.131.128
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
Submission: On February 27 via api from TR — Scanned from DE
Submission: On February 27 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Use Website In a Screen-Reader Mode
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
Solutions Solutions
Platform
Trend Micro One
By Challenge
Understand, Prioritize & Mitigate Risks
Secure Cloud-Native Apps
Hybrid cloud transformation
Securing your workforce infrastructure
Eliminate network blindspots
See more and respond faster
Threats Agilely to Extending your team resources
By Role
CISO/CIO
SOC Manager
Infrastructure Manager
Cloud Builder and Developer
Cloud Security Ops
By Industry
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Automotive
5G Networks
Products Products
Cloud Security
Cloud Security Overview
Workload Security
Cloud Security Posture Management
Container Security
File Storage Security
Endpoint Security
Network Security
Open Source Security
Cloud Visibility
Network Security
Network Security Overview
Network Intrusion Prevention (IPS)
Breach Detection System (BDS)
Secure Service Edge (SSE)
OT & ICS Security
Endpoint & Email Security
Endpoint & Email Security Overview
Endpoint Protection
Email Security
Mobile Security
Security Operations
Security Operations Overview
Attack Surface Management
XDR (Extended Detection & Response)
Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Services Services
Our Services
Service Packages
Managed XDR
Support Services
Research Research
Research
About Our Research
Research, News and Perspectives
Research and Analysis
Blog
Security Reports
Security News
Zero Day Initiatives (ZDI)
Resources
CISO Resource Center
DevOps Resource Center
Cyber Risk Index/Assessment
Threat Encyclopedia
What Is?
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Partner Tools
Partner Login
Education and Certification
Partner Successes
Distributors
Find a Partner
About About
Why Trend Micro
The Trend Micro Difference
Customer Success Stories
The Human Connections
Industry Accolades
Strategic Alliances
Company
Trust Center
History
Diversity, Equity & Inclusion
Corporate Social Responsibility
Leadership
Security Experts
Internet Safety and Cybersecurity Education
Legal
Resources
Newsroom
Events
Investors
Careers
Webinars
×
Folio (0)
0 Alerts
undefined
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* No new notifications at this time.
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* Business Support Portal
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Malware
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Subscribe
Content added to Folio
Folio (0) close
Malware
INVESTIGATING THE PLUGX TROJAN DISGUISED AS A LEGITIMATE WINDOWS DEBUGGER TOOL
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered
that a file called x32dbg.exe was used to sideload a malicious DLL we identified
as a variant of PlugX.
By: Buddy Tancio, Jed Valderama, Catherine Loveria February 24, 2023 Read
time: 8 min (2045 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
INTRODUCTION
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered
that a file called x32dbg.exe was used (via the DLL Search Order Hijacking or
T1574.001 technique) to sideload a malicious DLL we identified as a variant of
PlugX (Trojan.Win32.KORPLUG.AJ.enc). This file is a legitimate open-source
debugger tool for Windows that is generally used to examine kernel-mode and
user-mode code, crash dumps, or CPU registers. Meanwhile, PlugX is a well-known
remote access trojan (RAT) that is used to gain remote access to and control
over compromised machines. It allows an attacker to obtain unauthorized access
to a system, steal sensitive data, and use the compromised machine for malicious
purposes. The MxDR team employed a number of advanced security technologies and
solutions to gain a comprehensive understanding of the attack, which will be
revealed in this report.
INVESTIGATING AND ANALYZING THE THREAT WITH MXDR
Being a legitimate application, x32dbg.exe’s valid digital signature can confuse
some security tools, enabling threat actors to fly under the radar, maintain
persistence, escalate privileges, and bypass file execution restrictions.
Figure 1. A digitally signed x32dbg.exe
(ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15)
The team's attention was first drawn to the command line execution of
D:\RECYCLER.BIN\files\x32dbg.exe which was flagged by a VisionOne Workbench
alert. Further investigation revealed that this path led to a hidden folder on
the USB storage device, which was found to contain a number of threat
components.
Figure 2. Workbench model triggered by the execution of x32dbg.exe
We uncovered a clear sequence of events that began with a suspicious command
line execution launched via cmd.exe. The command line executed the file
(ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 ) located at
D:\RECYCLER.BIN\files\x32dbg.exe. The file was signed by ”OpenSource Developer,
Duncan Ogilvie” issued by Certum Code Signing. A visual representation of these
events is displayed in Figure 3.
Command Line: "C:\Windows\System32\cmd.exe" /q /c "\
\RECYCLER.BIN\files\x32dbg.exe"
File Path: "D:\ \ \RECYCLER.BIN\files\x32dbg.exe"
SHA256: ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15
Signer: Open-Source Developer, Duncan Ogilvie
Figure 3. Vision One shows how cmd.exe calls x32dbg.exe from the
external/non-system drive
After executing D:\RECYCLER.BIN\files\x32dbg.exe, all of the threat components
are copied to the directory
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop.
Subsequently, the file
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop\x32dbg.exe, a duplicate
of the original file, was invoked. The following command line was used to invoke
the dropped file:
Command Line: "C:\Windows\System32\cmd.exe" /q /c"
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop//x32dbg.exe”
Figure 4. Files created in
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop
Figure 5. Files created “C:\Users\Public\Public Mediae”
Figure 6. Vision Ones shows how x32dbg.exe copies itself to various directories
and renames itself as Mediae.exe
C:\Users\Public\Public Mediae\Mediae.exe followed the same procedure, creating a
new directory at C:\Users<username>\Users\ and copying the identical files as
shown in Figure 7.
Figure 7. The same set of files were created in C:\Users\<username>\Users\
As a result, a full set of the same files were present in three different
directories. This indicated a clear attempt to establish persistence and evade
detection by placing copies of the malicious files in multiple locations in the
compromised system, specifically:
* C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop
* C:\Users\Public\Public Mediae\
* C:\Users\<username>\Users\
ANALYZING PERSISTENCE: HOW THE ATTACKER MAINTAINED ACCESS
To ensure continued access to the compromised systems, attacker used techniques
involving the installation of persistence in the registry, the creation of
scheduled tasks to maintain access (even in case of system restarts), the
implementation of changes in credentials, and other potential disruptions that
could result in lost access.
Figure 8. Persistence was created in the scheduled task and run registry
We noticed the creation of a scheduled task via the schtasks command line
utility to run a task at a specific time. In this case, the scheduled task is
set to execute the x32dbg.exe file, the open source debugger tool that side
loads PlugX, every five minutes. The task is disguised under the name
"LKUFORYOU_1" to make it more difficult to detect.
Commandline: schtasks /create /sc minute /mo 5 /tn LKUFORYOU_1 /tr
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop\x32dbg.exe /f
A brief summary of the parameters used:
* /create: This option instructs the utility to create a new scheduled task.
* /sc minute: This option specifies the frequency at which the task will be
executed, which in this case is every five minutes.
* /mo 5: This option sets the duration of the frequency for the scheduled task.
* /tn LKUFORYOU_1: This option sets the name of the task as "LKUFORYOU_1".
* /tr C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop\x32dbg.exe: This
option specifies the path of the executable that will be executed when the
task is triggered.
* /f: This option forces the task to be created without requiring user
confirmation.
Figure 9. The schtask utility was used to create persistence in the scheduled
task
Further evidence supporting the persistence created by the scheduled task was
discovered in the event logs via Event ID 100, which clearly showed the
successful execution of the file (depicted in Figure 10).
Figure 10. VisionOne Windows event log lelemetry for LKUFORYOU
Figure 11 depicts where run registry keys were installed for persistence, and
the data associated with them. These registry keys and values enable the threat
to maintain persistence by automatically executing the x32dbg.exe file every
time the user logs in.
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry Value Name: x32dbg
Registry Value Data:
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop\x32dbg.exe
Figure 11. Persistence in the run registry (this image came from ESX testing)
HIDING IN PLAIN SIGHT: DLL SIDELOADING WITH X32DBG.EXE
We observed x32dbge.exe being used to sideload the PlugX file x32bridge.dll
(0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9, detected as
Trojan.Win32.KORPLUG.AJ). Sideloading can take advantage of the loader's DLL
search order by placing the malicious payload(s) and victim program side by
side. This process is likely used by malicious actors as a cover for operations
carried out within a trusted, legitimate, and maybe elevated system or software
process.
Figure 12. x32dbge.exe sideloaded Plug X file x32bridge.dll
(Trojan.Win32.KORPLUG.AJ)
We observed that the file akm.dat
(0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799, detected as
Trojan.Win32.KROPLUG.AJ) was also registered and executed via rundll32, a
Windows component which attackers can abuse to facilitate the execution of
malicious code. By using rundll32.exe to execute the file, the attackers can
prevent security tools from monitoring this activity.
rundll32 SHELL32.DLL, ShellExec_RunDLL rundll32
C:\ProgramData\UsersDate\Windows_NT\Windows\User\Desktop\akm.dat,Start
Figure 13. The file akm.dat was executed via rundll32
UNVEILING THE TACTICS USED: AN IN-DEPTH ANALYSIS OF THE THREAT
Through reverse engineering, we were able to gain a deep understanding of how
the threat operates. By analyzing the tactics and techniques used by the
attacker, we can identify and prevent similar attacks in the future.
Our analysis of this attack in VisionOne revealed that the threat heavily relied
on DLL sideloading, which is a typical behavior of PlugX. However, this variant
was unique in that it employed several components to perform various functions,
including persistence, propagation, and backdoor communication. As a result, we
were able to identify and isolate the different files used by the attacker in
their routine.
PERSISTENCE AND PROPAGATION: X32DBG.EXE (WITH THE COMPONENTS X32BRIDGE.DLL AND
X32BRIDGE.DAT)
The file x32dbg.exe is a legitimate executable of a debugging software which,
when executed, imports x32bridge.dll and calls on the functions BridgeStart and
BridgeInit. The attackers took advantage of this and replaced the DLL with their
own, containing the same export functions but executing entirely different
codes:
* BridgeStart – dummy code that does nothing
* BridgeInit – Loads x32bridge.dat, decrypts its contents, then proceeds with
the execution of the decrypted code.
Figure 14. The structure of x32dbg.exe and x32bridge.dll
The hardcoded key “HELLO_USA_PRISIDENT” is used to decode x32bridge.dat, after
which execution will continue on the decrypted code.
Figure 15. Decoding x32bridge.dat using the hardcoded key
It will then check for an event named LKU_Test_0.1 (or creates it if not found).
This is followed by the execution of akm.dat found in the same folder.
Figure 16. Executing akm.dat
Next, it creates the scheduled task LKUFORYOU_1 to run x32dbg.exe persistently
like what was observed in our VisionOne investigation.
It then enumerates all drives and takes note of removable drives for its
propagation routine. When found, it will delete files from any existing
RECYCLER.BIN folder before creating a new one. It will copy its components that
have the file extensions .exe, .dll, and .dat to the newly created folder and
add a desktop.ini file.
Figure 17. Deleting the existing RECYCLER.BIN folder and creating a new one
Next, it will proceed to its installation routine, where it copies all its
components to several folders as listed on the VisionOne analysis.
Figure 18. The installation routine
Once installed, it will run the file Mediae.exe (same file as x32dbg.exe), which
will remain in memory, looping through the aforementioned routines.
Figure 19. Running Mediae.exe
Mediae.exe also creates the event LKU_Test_0.2, possibly to signal a successful
installation.
Figure 20. Creating LKU_Test_0.2
As also seen in the VisionOne analysis, the malware checks if it already has an
AutoStart registry key (x32dbg), and creates one if there isn’t. Note that the
execution path may vary depending on where x32dbg.exe / Mediae.exe was
executed.
NEXT STAGE LOADER: AKM.DAT
The file akm.dat is a DLL with a straightforward function — to execute the next
phase of the DLL sideloading routine. Its export function Start will execute the
file AUG.exe (also included in the previous installation from x32dbg.exe).
Figure 21. The Start function executing AUG.exe
THE BACKDOOR UDP SHELL: AUG.EXE (WITH THE COMPONENTS DISMCORE.DLL AND
GROZA_1.DAT)
AUG.exe is a copy of DISM.EXE, a legitimate Microsoft file which is also
vulnerable to DLL sideloading. It imports the function DllGetClassObject from
DismCore.dll, which will decrypt the contents of Groza_1.dat using the hardcoded
key “Hapenexx is very bad”.
Figure 22. Decrypting Groza_1.dat using the hardcoded key
The execution will continue on the decrypted code, which is a UDP Shell client
that does the following:
* Collects host information such as the hostname, IP Address and Mac address
and sends it to its command-and-control (C&C) server 160[.]20[.]147[.]254
* Creates a thread to continuously wait for C&C commands
* Decrypts C&C communication using the hardcoded key “Happiness is a way
station between too much and too little.”
* Hardcoded Debug Info found in file: C:\Users\guss\Desktop\Recent Work\UDP
SHELL\0.7 DLL\UDPDLL\Release\UDPDLL.pdb
Figure 23. The UDP shell client
CONCLUSION AND RECOMMENDATIONS
The discovery and analysis of the malware attack using the open-source debugger
tool x32dbg.exe shows us that DLL side loading is still used by threat actors
today because it is an effective way to circumvent security measures and gain
control of a target system. Despite advances in security technology, attackers
continue to use this technique since it exploits a fundamental trust in
legitimate applications. This technique will remain viable for attackers to
deliver malware and gain access to sensitive information as long as systems and
applications continue to trust and load dynamic libraries.
This incident highlights the importance of having a strong and robust
cybersecurity system in place, as threat actors continue to find new ways to
exploit vulnerabilities and launch sophisticated attacks. Trend Micro Managed
Extended Detection and Response (MxDR) helps in the prevention of DLL
sideloading attacks by taking a comprehensive approach to detecting,
investigating, and responding to security incidents.
Trend XDR integrates a variety of security technologies, such as endpoint
protection, network security, and cloud security, to provide a comprehensive
picture of an organization's security posture. This enables MxDR to detect and
prevent DLL sideloading attacks by detecting and blocking malicious activity at
various stages of the attack lifecycle before it can cause harm. Furthermore,
XDR can perform in-depth analysis and investigation of security incidents,
allowing organizations to understand the impact and scope of an attack and
respond appropriately.
Here are some recommendations that IT administrators can put into place to
prevent DLL side loading attacks:
* Implement whitelisting: Allow only known and trusted applications to run on
the system while blocking any suspicious or unknown ones.
* Use signed code: Ensure that all DLLs are signed with a trusted digital
signature to ensure their authenticity and integrity.
* Monitor and control application execution: Monitor and control the execution
of applications and their dependencies, including DLLs, to detect and prevent
malicious activities.
* Educate end users: Inform users about the dangers of DLL sideloading attacks
and encourage them to exercise caution when installing or running unfamiliar
software.
* Endpoint protection: Use endpoint protection solutions that offer behavioral
analysis and predictive machine learning for better security capabilities
* Implement effective incident response plans: Establish a clear and
well-defined incident response plan to detect, contain, and respond to
security incidents as quickly as possible.
INDICATORS OF COMPROMISE
File name SHA256 Detection name x32dbg.exe
ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 Legitimate
Windows debugger x32bridge.dll
0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9
Trojan.Win32.KORPLUG.AJ akm.dat
0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799
Trojan.Win32.KORPLUG.AJ x32bridge.dat
e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172
Trojan.Win32.KORPLUG.AJ.enc DismCore.dll
b4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7
Trojan.Win32.KORPLUG.AJ Groza_1.dat
553ff37a1eb7e8dc226a83fa143d6aab8a305771bf0cec7b94f4202dcd1f55b2
Trojan.Win32.KORPLUG.AJ.enc
IP address / URL Description 160[.]20[.]147[.]254 C&C Server
Tags
Malware | Endpoints | Research | Articles, News, Reports
AUTHORS
* Buddy Tancio
Threats Analyst
* Jed Valderama
Threats Analyst
* Catherine Loveria
Threats Analyst
Contact Us
Subscribe
RELATED ARTICLES
* A Deep Dive into the Evolution of Ransomware Part 2
* A Deep Dive into the Evolution of Ransomware Part 1
* Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
See all articles
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2023 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility By
Learn More
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
Press Alt+1 for screen-reader mode
Sumo