New Wave of PlugX Targets Legitimate Apps

Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

Unfortunately, many applications – old and even new ones – still contain this vulnerability.
The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

Below are some of the malware that use various normal files to load its malicious components:

BKDR_PLUGX.DMI

  • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
  • loads hha.dll, which then loads hha.dll.bak
  • both files are also detected as BKDR_PLUGX.DMI

BKDR_PLUGX.AI

  • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
  • loads CommFunc.dll, which then loads CommFunc.jax
  • both two files are also detected as BKDR_PLUGX.AI

BKDR_PLUGX.AQT

  • uses Mc.exe which is a legitimate McAfee file
  • loads McUtil.dll, which then loads McUtil.dll.url
  • both files are also detected as BKDR_PLUGX.AQT
  • connects to the fake anti-malware site vip.{BLOCKED}ate.com

Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:

Plugx-snippet-code

Figure 1. Screenshot of PlugX code snippet

Once the initial .DLL is loaded by the application, it gets the filepath and then appends the second extension (.url), which is an attempt to avoid antimalware detection. The new filepath is then opened using the API CreateFile. If successful, it then allocates a space in the memory where the contents of the encrypted component will be placed. The encrypted code will then be finally called via “call EBX” or any registry depending on the variant.

Most of these variants appear to be in Asia, particularly China, Japan, and Taiwan. Trend Micro products detect the PlugX variants mentioned in this blog entry.

During the first quarter of this year, we already reported notable malware incorporated with evasion methods. Though these efforts to evade antimalware scanning are not in itself groundbreaking, this development in PlugX suggests our prediction that this year’s threat landscape is likely to be defined by attackers ducking security researchers instead of creating new threats.

With additional analysis from Threat Researcher Abraham Camba.


We’re trying to make the Security Intelligence Blog better. Please click here to take a survey and give us your feedback on how we can make things better.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Wave of PlugX Targets Legitimate Apps

Read more: New Wave of PlugX Targets Legitimate Apps

Story added 24. April 2013, content source with full text you can find at link above.