We've covered the PlugX backdoor here on Naked Security several times in the past.
- Inside the "PlugX" malware - a fascinating journey into a malware factory
- The PlugX malware factory revisited: introducing "Smoaler"
- New PlugX malware variant takes aim at Japan
There were a few variations in the distribution and deployment of this backdoor, but the end result was always the same.
At the end of 2013, a new variation of the PlugX backdoor appeared on the scene. Our first encounter with it at SophosLabs was in a distribution campaign which focused on exploiting the popular Japanese word processor Ichitaro.
While looking into this, we saw a single sample that broke the usual scheme. This one didn't use a signed executable for cover, not did it drop the payload into the infected system as a separate file.
Instead, it decrypted and loaded it into the memory, without hitting the disk.
After finding a handful of other samples that used the same technique, I decided to investigate it further.
In this new paper, I leave the overall operation of the PlugX backdoor behind and take a deeper look at this new generation.