PlugX is a remote access tool which exists since 2008 and has notorious history as a malware. According to the researchers, the tool became quite active and popular in 2014 and serves as a g0-to malware for many adversary groups.
Great deal of the attacks, namely the ones that occurred during the second half of 2014, have been using that tool. According to the researchers, the PlugX further proliferation shall enable the attackers to log keystrokes, to copy and modify files, to capture screenshots, to quit processes, and also to log off the users and to make complete reboot of the machines.
The Global Threat Report by Crowdstrike, which was released yesterday, confirms that this malware was the best used one in regards to targeted activity in 2014. The malware is now the tool for many adversarial groups based in China.
Among the ways the malware improved in 2014 and was then caught on, was by altering the way in which it communicates with its infrastructure up the chain. The malware is implementing a new DNS module for command and control and is thus able to send its data under the form of long DNS queries to the overseeing infrastructure.
In other words, the malware is modifying the way that HTTP and DNS requests are produced. This process is called by Crowdstrike a deviation from the typically monitored protocols and this made it difficult for the malware to be detected by the researchers. The increased usage of PlugX indicates a greater confidence in the platform’s capabilities, which justifies its prolonged usage across multiple countries and sectors.
Crowdstrike has caught a group that uses PlugX on machines, which goes under the name Hurricane Panda. The hacking collective uses the custom DNS feature of the malware in order to spoof four DNS servers with domains as popular as Adobe.com, Pinterest.com and Github.com. The malware replaced their legitimate IP addresses, setting them to point these domains to a PlugX C+C node.
The malware is usually spread through a phishing attack. In some cases the attacks go on to leverage a zero day CVE-2014-1761 that exploits vulnerable Word and RTF Microsoft documents. Others use the worn holes such as CVE-2012-0158 in Excel and PowerPoint. The letter was used in the Cloud Atlas, Red October and IceFrog attacks.
Researchers confirm that some of the cyber criminals who are using PlugX have registered new domains for leveraging the C+C of the malware. However, older domains are still active. This means that the malware shows persistence over the years.
How this malware managed to become so commonplace?
There are two variants:
- There is a central malware dissemination channel which is pushing PlugX to the adversary groups or.
- There are groups that have not used PlugX and got copies of it through cybercriminals or public repositories.
In both cases, the malware is usually used by the attackers that come from China or for countries under the influence of China. This malware have been used in political attacks and recurring attacks against various commercial entities in the United States. According to Crowdstrike however, the rapid spread of the malware could be a sign for its future usage on a worldwide basis.
The constant development of PlugX secures flexible capability of the attackers and requires serious vigilance by the network protectors to detect and block it.