Pulling the Plug on PlugX

Written by: Ryan Angelo Certeza

PlugX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized in the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

Here, we aim to enlighten readers on PlugX capabilities and the implications of its malicious routines.

What is PlugX?

PlugX is a new breed of remote access tool (RAT) found to have been involved in targeted attacks aimed at government institutions. PlugX was first seen in June 2012.

PlugX is similar to other RATs that have been used in targeted attacks like DarkComet and Lurid.

Similar to Poison Ivy, PlugX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:
  • Copying, creating, modifying, and opening files
  • Logging keystrokes and active windows
  • Logging off the current user, restarting/rebooting the affected system
  • Creating, modifying and/or deleting registry values
  • Capturing video or screenshots of user activity
  • Setting connections
  • Terminating processes
Apart from compromising system security, PlugX’s routines could lead to further information theft if systems are left unchecked. PlugX also gives attackers complete control over the system.

What is a remote access tool?

A remote access tool allows users to remotely access systems. It enables users to enact changes to a system and its files despite not having physical access to it. There are legitimate versions of this that offer services that range from desktop sharing, remote administration, to even out-of-office production.

Cybercriminals use RATs with malicious code mainly as payloads for their malware in order to steal sensitive user information and take control of a target’s system. RATs are coded so that its info-theft routines are hidden from users.

How do users encounter this threat?

Similar to the Poison Ivy RAT, PlugX arrives onto users’ systems as malicious attachments to spearphishing emails. The emails were made to target specific businesses and organizations, with tailored content to match.

The attachment may come in the form of an archived, bundled file, or a specially-crafted document. The attachment invariably exploits a vulnerability in either Adobe Acrobat Reader or Microsoft Office. Earlier variants of PlugX have been spotted to follow the same structure.

How is PlugX related to Poison Ivy?

Through our monitoring, we discovered a campaign targeting specific organizations in Japan that used PlugX as their main payload. Further analysis revealed the targets in this attack share similarities with a previously-discovered campaign that uses Poison Ivy. This campaign has been around since February 2008.

Besides their choice of targets, Poison Ivy and PlugX also share similar characteristics. Both arrive as malicious attachments in spearphishing emails, and some of their backdoor capabilities match in terms of purpose – information theft.

What are the common characteristics of PlugX variants?

PlugX and its variants employ the same method in infiltrating users’ systems, namely through malicious attachments sent with spearphishing emails. PlugX variants have three main components:
  • A legitimate file
  • A malicious .DLL loaded by the legitimate file
  • A binary file that contains the malicious codes to be loaded by the DLL.

What is a PlugX infection routine like?

The PlugX infection routine goes as follows:

  • The user receives the spearphishing email in his inbox, containing the malicious attachment. The attachment may exploit certain vulnerabilities such as RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). The malicious document is detected as TROJ_ARTIEF.LWO. (Note that this is not the only vulnerability the document may exploit, as earlier variants have been found exploiting others related to other software.)
  • Once opened, the specially-drafted document exploits the vulnerability to drop and execute the PlugX variant BKDR_PLUGX.SME.
  • BKDR_PLUGX.SME then drops the three component files of PlugX – a legitimate NVIDIA file, the .DLL file (BKDR_PLUGX.BUT), and the binary file (TROJ_PLUGX.SME).
  • The legitimate NVIDIA file loads the .DLL file, which in turn loads TROJ_PLUGX.SME.

What are the other features of PlugX?

PlugX has certain characteristics that distinguish it from Poison Ivy. PlugX is designed and fitted with several backdoor modules, with each module organized to perform tasks unique from the other modules.

Some examples of the modules uncovered from PlugX’s analysis:
  • XPlugDisk – allows the malware to copy, move, rename, execute and even delete files.
  • XPlugKeyLogger – allows the malware to log keystrokes made on current active windows.
  • XPlugRegedit – allows the malware to enumerate, create, delete and modify registry entries and values.
  • XPlugProcess – enumerates processes, gets process information, terminates processes
  • XPlugNethood – allows the malware to enumerate network resources and set TCP connection states.
  • XPlugService – allows the malware to delete, enumerate, modify and start services.
  • XPlugShell – allows the malware to perform remote shell on the affected system.
These modules should be considered the most dangerous, as they allow the attacker to gain complete control of the infected systems.

Another feature that makes PlugX interesting is that it seems to be in its beta stage, as proven by a debug log file that it drops. The log files indicate certain incidents regarding the malware’s performance, specifically certain errors or obstacles that it comes across in trying to execute its programmed routines. The log file’s contents would help in the creation of much more effective variants of PlugX.

How does PlugX affect users?

Users have a variety of ways in which to protect themselves from PlugX and its variants.

Refrain from opening suspicious mails. Never open mails that seem to come from unfamiliar senders, especially those that come with attachments or URLs. Some email-based threats only require the user to open or read the mail itself to infect.

Keep systems up-to-date. Attackers typically exploit vulnerabilities in order to infiltrate systems. It stands to reason, then, that users must always keep their systems updated with the latest security patches or versions released by the vendors of the software they regularly use.

Disseminate information about such threats to employees and sub-organizations. Being informed about threats like PlugX goes a long way into helping defend against attacks. If an organization’s employees know what to look out for, then they should be able to avoid it. This is no less true here, as PlugX’s main point of entry is through phishing emails.

Invest in an organization-wide security solution. Security solutions that automatically update and can block threats before they can reach business-critical and production systems can help organizations avoid the hassle and damage that PlugX and Poison Ivy can wreak.

Does Trend Micro protect users from this threat?

Yes. Trend Micro protects users from this threat via the Smart Protection Network™. In particular, file reputation service detects and deletes PlugX variants. Web reputation and email reputation services blocks access to the servers that PlugX connects to in order to listen for commands, as well as any other related addresses and URLs. Trend Micro Deep Security users are also protected from this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

Expert Insights

Defensive strategies can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics, and procedures of the threat actors behind such attacks. By effectively using threat intelligence derived from external and internal sources, combined with security tools that empower human analysts, organizations are better positioned to detect and mitigate targeted attacks. Nart Villeneuve, senior threat researcher