Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

BKDR_PLUGX


ALIASES:

Microsoft: Plugx; Symantec: Korplug; Sophos: PlugX; Fortinet: PLUGX; Ikarus: Plugx; Eset: Korplug

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:

  • Threat Type:Backdoor

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet, Spammed via email


PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

PlugX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:

  • Copying, creating, modifying, and opening files
  • Logging keystrokes and active windows
  • Logging off the current user, restarting/rebooting the affected system
  • Creating, modifying and/or deleting registry values
  • Capturing video or screenshots of user activity
  • Setting connections
  • Terminating processes

Apart from compromising system security, PlugX’s routines could lead to further information theft if systems are left unchecked. PlugX also gives attackers complete control over the system.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Steals information, Logs keystrokes

Installation

This backdoor drops the following non-malicious files:

  • %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmart.exe
  • %AppDataLocal%\VirtualStore\Windows\system32\NvSmart.exe
  • %ProgramData%\Gf\NvSmart.exe
  • %ProgramData%\SxS\NvSmart.exe
  • %ProgramData%\SxS\rc.exe
  • %ProgramData%\SxSi\rc.exe
  • %System Root%\Users\All Users\Gf\NvSmart.exe
  • %System Root%\Users\All Users\SxS\NvSmart.exe
  • %System Root%\Users\All Users\SxS\rc.exe
  • %System Root%\Users\All Users\SxSi\rc.exe
  • %System Root%\Users\All Users\UdpGf\NvSmart.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %ProgramData%\Gf
  • %ProgramData%\SxS
  • %ProgramData%\SxSi
  • %System Root%\Users\All Users\Gf
  • %System Root%\Users\All Users\SxS
  • %System Root%\Users\All Users\SxSi
  • %System Root%\Users\All Users\UdpGf

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Description = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
DisplayName = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ImagePath = ""%ProgramData%\Gf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Description = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
DisplayName = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ImagePath = ""%ProgramData%\SxS\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
DisplayName = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ImagePath = ""%ProgramData%\UdpGf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Description = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
DisplayName = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ImagePath = "%ProgramData%\SxSi\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Type = "110"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\FAST
CLSID = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
CLSID = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\FAST

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST

Dropping Routine

This backdoor drops the following files:

  • %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmartMax.dll
  • %AppDataLocal%\VirtualStore\Program Files\Common Files\boot.ldr
  • %AppDataLocal%\VirtualStore\Windows\system32\NvSmartMax.dll
  • %AppDataLocal%\VirtualStore\Windows\system32\boot.ldr
  • %ProgramData%\Gf\NvSmartMax.dll
  • %ProgramData%\Gf\boot.ldr
  • %ProgramData%\SxS\NvSmartMax.dll
  • %ProgramData%\SxS\rc.hlp
  • %ProgramData%\SxS\rcdll.dll
  • %ProgramData%\SxSi\rc.hlp
  • %ProgramData%\SxSi\rcdll.dll
  • %System Root%\Users\All Users\Gf\NvSmartMax.dll
  • %System Root%\Users\All Users\Gf\boot.ldr
  • %System Root%\Users\All Users\SxS\NvSmartMax.dll
  • %System Root%\Users\All Users\SxS\rc.hlp
  • %System Root%\Users\All Users\SxS\rcdll.dll
  • %System Root%\Users\All Users\SxSi\rc.hlp
  • %System Root%\Users\All Users\SxSi\rcdll.dll
  • %System Root%\Users\All Users\UdpGf\NvSmart.usr
  • %System Root%\Users\All Users\UdpGf\NvSmartMax.dll

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
  • {BLOCKED}y.{BLOCKED}-show.org
  • {BLOCKED}bb.{BLOCKED}s.in
  • {BLOCKED}l.{BLOCKED}2.us:80
  • {BLOCKED}sUpdated.{BLOCKED}n.com
  • http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00108490
  • http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00133f60
  • http://{BLOCKED}ntral.{BLOCKED}ind.net/update?id=00133f60
  • http://{BLOCKED}lasia.{BLOCKED}focus.com:53/update?id=00108150
  • http://{BLOCKED}l.{BLOCKED}huu.com/update?id=00133fa0
  • http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
  • http://{BLOCKED}ia.{BLOCKED}focus.com:8080/update?id=00108150
  • http://{BLOCKED}ia.{BLOCKED}ind.net:8080/update?id=00133f60
  • http://{BLOCKED}n.{BLOCKED}huu.com:53/update?id=00133fa0
  • http://{BLOCKED}r.{BLOCKED}5.com:8080/update?id=00108108
  • http://{BLOCKED}ul.{BLOCKED}c.net/update?id=00108150
  • http://{BLOCKED}k.{BLOCKED}3.com:53/update?id=00108cf0
  • http://{BLOCKED}a.{BLOCKED}focus.com:53/update?id=00133f60

Featured Stories

Connect with us on