Table Of Contents
RAT called PlugX (Korplug) has been used to target users in Afghanistan, Russia, Tajikistan, Kazakhstan and Kyrgyzstan.
The remote access trojan (RAT) called Plug X has been going the rounds attacking multiple systems across a large time frame. It was used most recently to target users in Afghanistan, Russia, Tajikistan, Kazakhstan and Kyrgyzstan. it has also surfaced in attacks from the Chinese Advanced Persistent Threat Actors (APT). An interesting aspect of the campaign is that PlugX is not the only piece of malware identified on infected machines. Researchers have identified other RATs, keyloggers and file stealers as well.
While monitoring PlugX infections, researchers at ESET noticed that some of the samples connected to the same command and control (C&C) domains. By analyzing the C&C domains, experts managed to identify the targets and determined that the attackers’ goal is to harvest intelligence information on Russian, Afghan and Tajik military and diplomats. The campaign has been active since at least June 2014.
The trojan, is being delivered by email spear phishing. These emails contained an infected rich text document and a RAR file which will extract itself automatically and contain a .src extension. The aim of this malware is to utilize vulnerabilities in Microsoft Word to install itself onto the target system. Experts have spotted two exploits: one for an older Word flaw (CVE-2012-0158), and one for a vulnerability patched by Microsoft in April (CVE-2014-1761). CVE-2014-1761 has been exploited in the wild since at least March 2014 in numerous high-profile campaigns, including ones leveraging BlackEnergy, MiniDuke and Sednit. However, in the attacks analyzed by ESET, the exploit doesn’t work correctly.
A clever trick has been implemented by Korplug RAT. It gets itself latched into a legitimate file by Kaspersky labs.”The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion,” ESET’s Robert Lipovsky wrote in a blog post.
DarkStRAT is another RAt that is being seen to be used specifically to move files to and fro targeted machines and the command. Experts have also spotted a file stealer that harvests files from fixed and removable drives, and network shares. The threat is also capable of collecting passwords, account and proxy information, and history of visited URLs from applications such as Internet Explorer, Firefox, and Outlook. Samples from both pieces of malware contain a digital signature associated with a company called “Nanning weiwu Technology co.,ltd.”
“Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish,” Lipovsky said.
In August, FireEye revealed the details of a campaign called “Poisoned Hurricane,” which targeted organizations in the United States and Asia. In this operation, the attackers configured PlugX to connect to domains such as adobe.com and outlook.com. Researchers discovered that the malware resolved DNS lookups through the nameservers of a company that allowed anyone to create a free account with its hosted DNS service.