PlugX (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.plugx (Back to overview)

PlugX

aka: Destroy RAT, Kaba, Korplug, Sogu, TIGERPLUG

Actor(s): APT 22, APT 26, APT31, APT41, Aurora Panda, Calypso group, DragonOK, Emissary Panda, Hellsing, Hurricane Panda, Leviathan, Mirage, Mustang Panda, NetTraveler, Nightshade Panda, Samurai Panda, Stone Panda, UPS, Violin Panda

RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:
machine information
capture the screen
send keyboard and mouse events
keylogging
reboot the system
manage processes (create, kill and enumerate)
manage services (create, start, stop, etc.); and
manage Windows registry entries, open a shell, etc.

The malware also logs its events in a text log file.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader

2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger

2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger

2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX

2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX

2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
A new APT uses DLL side-loads to “KilllSomeOne”
PlugX

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
Back Despite Disruption: RedDelta Resumes Operations
PlugX

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33

2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor

2020-07-28 ⋅ NTT ⋅ NTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird

2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
Chinese state hackers target Hong Kong Catholic Church
PlugX

2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing

2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX

2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX

2020-05-14 ⋅ Lab52 ⋅ Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX

2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy

2020-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2020-02-28 ⋅ Recorded Future ⋅ Insikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX

2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
New wave of PlugX targets Hong Kong
PlugX

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse

2020-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OLIVE
ANGRYREBEL PlugX APT 22

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE WOODLAND
PlugX Zeus Roaming Tiger

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK

2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT

2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
Fresh PlugX October 2019
PlugX

2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX

2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX

2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX

2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust

2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
Uncovering new Activity by APT10
PlugX Quasar RAT

2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
SectorM04 Targeting Singapore – An Analysis
PlugX Termite

2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves

2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
Malware Analysis - PlugX - Part 2
PlugX

2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
Time of death? A therapeutic postmortem of connected medicine
PlugX

2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
MALWARE ANALYSIS – PLUGX
PlugX

2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
Relationship between PlugX and attacker group "DragonOK"
PlugX

2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
Paranoid PlugX
PlugX

2017-04-27 ⋅ US-CERT ⋅ US-CERT
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX

2017-02-13 ⋅ RSA ⋅ RSA Research
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX

2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Unpacking the spyware disguised as antivirus
PlugX

2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX

2016-01-22 ⋅ RSA Link ⋅ Norton Santos
PlugX APT Malware
PlugX

2015-08 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX

2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
PlugX - The Next Generation
PlugX

2014-06-10 ⋅ FireEye ⋅ Mike Scott
Clandestine Fox, Part Deux
PlugX

2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
PlugX: some uncovered points
PlugX

2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX

Yara Rules

[TLP:WHITE] win_plugx_auto (20201023 | autogenerated rule brought to you by yara-signator)

rule win_plugx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec a1???????? 83ec5c 53 56 }
            // n = 5, score = 1000
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   83ec5c               | sub                 esp, 0x5c
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_1 = { 014710 01462c 8b462c 83c40c 3b4614 }
            // n = 5, score = 1000
            //   014710               | add                 dword ptr [edi + 0x10], eax
            //   01462c               | add                 dword ptr [esi + 0x2c], eax
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   83c40c               | add                 esp, 0xc
            //   3b4614               | cmp                 eax, dword ptr [esi + 0x14]

        $sequence_2 = { 8945fc 3bc1 7c03 894dfc 8b4610 03462c }
            // n = 6, score = 1000
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bc1                 | cmp                 eax, ecx
            //   7c03                 | jl                  5
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   03462c               | add                 eax, dword ptr [esi + 0x2c]

        $sequence_3 = { 56 ff55ec 5f 5e 5b c9 c20400 }
            // n = 7, score = 1000
            //   56                   | push                esi
            //   ff55ec               | call                dword ptr [ebp - 0x14]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_4 = { 7c03 894dfc 8b4610 03462c }
            // n = 4, score = 1000
            //   7c03                 | jl                  5
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   03462c               | add                 eax, dword ptr [esi + 0x2c]

        $sequence_5 = { a1???????? 53 33db 56 57 895de8 }
            // n = 6, score = 1000
            //   a1????????           |                     
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx

        $sequence_6 = { 8b4610 8308ff 8b4610 8308ff }
            // n = 4, score = 1000
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8308ff               | or                  dword ptr [eax], 0xffffffff
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8308ff               | or                  dword ptr [eax], 0xffffffff

        $sequence_7 = { 7605 41 3bc8 7cf4 }
            // n = 4, score = 1000
            //   7605                 | jbe                 7
            //   41                   | inc                 ecx
            //   3bc8                 | cmp                 ecx, eax
            //   7cf4                 | jl                  0xfffffff6

        $sequence_8 = { 50 894dec e8???????? 59 57 ff75f0 }
            // n = 6, score = 1000
            //   50                   | push                eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   57                   | push                edi
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_9 = { 59 57 ff75f0 53 }
            // n = 4, score = 1000
            //   59                   | pop                 ecx
            //   57                   | push                edi
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 598016
}

[TLP:WHITE] win_plugx_w1 (20170517 | PlugX Identifying Strings)

rule win_plugx_w1 {
    meta:
        description = "PlugX Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-12"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/plugx.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $BootLDR = "boot.ldr" wide ascii
        $Dwork = "d:\\work" nocase
        $Plug25 = "plug2.5"
        $Plug30 = "Plug3.0"
        $Shell6 = "Shell6"
      
    condition:
        $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
}

[TLP:WHITE] win_plugx_w2 (20170517 | PlugX RAT)

rule win_plugx_w2 {
	meta:
		author = "Jean-Philippe Teissier / @Jipe_"
		description = "PlugX RAT"
		date = "2014-05-13"
		filetype = "memory"
		version = "1.0" 
		ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/plugx.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
	strings:
		$v1a = { 47 55 4C 50 00 00 00 00 }
		$v1b = "/update?id=%8.8x" 
		$v1algoa = { BB 33 33 33 33 2B } 
		$v1algob = { BB 44 44 44 44 2B } 
		$v2a = "Proxy-Auth:" 
		$v2b = { 68 A0 02 00 00 } 
		$v2k = { C1 8F 3A 71 } 
		
	condition: 
		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
}

Download all Yara Rules

PlugX Propose Change

References

Yara Rules

PlugX