A new Remote Administration Tool has been discovered called PlugX which is a Remote Access Tool (RAT). It has also been named as Korplug. PlugX has been detected in targeted attacks not only against military, government or political organizations, but also against more or less ordinary companies. The attack starts with a phishing email containing a malicious attachment, usually an archived, bundled or specially crafted document that exploits either a vulnerability.
- A legitimate file
- A malicious DLL that is loaded by the legitimate file
- A binary file that contains the malicious codes loaded by the DLL.
Roland Dela Paz (Threat Researcher) at TrendMirco says that the pdf exploits CVE-2010-2883 attached with Plugx (RAT payload connects to a command and control (C&C) server named {BLOCKED}eo.flower-show.org. XPlugDisk, XPlugKeyLogger, XPlugNethood, XPlugOption, XPlugPortMap, XPlugProcess, XPlugRegedit, XPlugScreen, XPlugService, XPlugShell, XPlugSQL, and XPlugTelnet are some of the modules that are reported to be a part of the tool. These modules are organized to perform tasks unique to the module. The tool has been so beautifully crafted that it generates and writes a debug log file in % All Users Profiel%\SxS\bug.log. says security intelligence blog.This generated log file records the error codes which is later used by the author to improve PlugX versions.
PlugX is said to allow remote users to invoke and execute malicious and data theft routines without the user’s permission or authorization in a given system says trend micro. These various malicious routines include carried out by PlugX include, Copying, creating, modifying, and opening files, Logging keystrokes and active windows, Logging off the current user, restarting/rebooting the affected system, Creating, modifying and/or deleting registry values, Capturing video or screenshots of user activity, Setting connections, and Terminating processes.
The PlugX project is a work in progress. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated says Dmitry.
Microsoft malware protection center describes PlugX.F as a backdoor trojan where a backdoor trojan provides remote, usually surreptitious, access to affected systems which is used to conduct distributed denial of service (DDoS) attacks, or to install additional trojans or other forms of malicious software.
Microsoft malware protection center describes PlugX.F as a backdoor trojan where a backdoor trojan provides remote, usually surreptitious, access to affected systems which is used to conduct distributed denial of service (DDoS) attacks, or to install additional trojans or other forms of malicious software.
No comments:
Post a Comment