PlugX: New Tool For a Not So New Campaign

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for this purpose.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that Plugx was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We,ve encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm.

Poison Ivy and PLUGX C&C Servers: A Relationship in Bloom

During our monitoring, we initially saw a PlugX variant that connects to a command and control (C&C) server named eonceo.{BLOCKED}-show.org. Using historical data, we identified that this is a notoriously known Poison Ivy C&C. Using the IP address that eonceo.{BLOCKED}-show.org resolved to, we mapped out several C&Cs under its domain. These C&Cs appeared to be have been used by Poison Ivy and PlugX variants.

The diagram below shows the relationships between the resolved IP address, C&C domains, RAT variants and the dates when these RATs were distributed. Note that for the older variants, we used the earliest date estimate of their appearance.

In the above diagram, we can see that though the campaign now uses the new PlugX RAT, they are still distributing this parallel to older, more stable Poison Ivy variants. Because its variants drop a debug log file in %System Root%\Documents and Settings\All Users\SxS\bug.log, we also suspect that PlugX may be still in its beta stages. This log file records possible errors in the RAT’s code, which may later be uploaded to the attackers’ C&C server for auditing.

While custom-made RATs developed for targeted attacks are not new, we can see that the people behind PlugX are already distributing the RAT despite being it being in beta. Being malicious actors that have been around since 2008, they may be onto something. It is possible that they will utilize their targets’ machines to improve their RAT for future, more troublesome campaigns.

Unfortunately, any serious error in the RAT’s code may become problematic not only among its creators but also for computers infected with the RAT. One such effect is the corruption of documents in the PlugX-infected computer while the RAT is being accessed outside.

Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX) and Poison Ivy (BDKR_POISON) variants. Web reputation and email reputation services blocks access to the said C&C and related email respectively.

Trend Micro continues to monitor PlugX’s development and the campaign behind it.

Post from: TrendLabs | Malware Blog – by Trend Micro

PlugX: New Tool For a Not So New Campaign

Read more: PlugX: New Tool For a Not So New Campaign

Incoming search terms

Story added 10. September 2012, content source with full text you can find at link above.