From the Labs: PlugX - the next generation

Filed Under: Featured, Malware, Security threats, SophosLabs, Vulnerability

We've covered the PlugX backdoor here on Naked Security several times in the past.

There were a few variations in the distribution and deployment of this backdoor, but the end result was always the same.

X. Image courtesy of ShutterstockAt the end of 2013, a new variation of the PlugX backdoor appeared on the scene. Our first encounter with it at SophosLabs was in a distribution campaign which focused on exploiting the popular Japanese word processor Ichitaro.

While looking into this, we saw a single sample that broke the usual scheme. This one didn't use a signed executable for cover, not did it drop the payload into the infected system as a separate file.

Instead, it decrypted and loaded it into the memory, without hitting the disk.

After finding a handful of other samples that used the same technique, I decided to investigate it further.

In this new paper, I leave the overall operation of the PlugX backdoor behind and take a deeper look at this new generation.

Download the paper

PlugX


Image of X courtesy of Shutterstock.

, , , ,

You might like

2 Responses to From the Labs: PlugX - the next generation

  1. swank · 58 days ago

    This variant is not new... sideloading and the use of XV marker .etc is old news.

  2. Gabor Szappanos · 56 days ago

    Like the paper says: these variants started to appear at the end of last year, according to the time stamp, they were developed around the end of last summer.
    We noticed them back then, but did not analyse deeper until we had more samples to make clear that it is a consistent new development.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Gabor Szappanos is a Principal Malware researcher at SophosLabs. He started anti-virus work in 1995, and joined VirusBuster in 2001, and became the head of VirusBuster's virus lab in 2002. Since 2008 Gabor has been a member of the board of directors in AMTSO (Anti Malware Testing Standards Organizations).