This is a malware family that keeps evolving as the criminals in charge of it churn out new variants.
Just like legitimate software, malware has major version upgrades and point releases.
In this paper, Szappi looks at the recently-released Version 6.0 of the PlugX malware framework.
You’ll enjoy Szappi’s paper because it’s not so technical as to get bogged down in researcher-only jargon, yet not so high-level as to skip over the details that help you to understand how virus writers think.
Szappi writes clearly and logically, taking apart and explaining the numerous and deliberately-distinct phases in the malware’s infection mechanism.
Splitting up malware means that each step does only a small piece of the overall work, in order to avoid looking suspicious on its own.
The aim is to reduce the chance of being flagged as dangerous by heuristic defences that expect more complex behaviour.
Szappi even uses some debugging features left behind in the malware to estimate the size of the programming project behind it, using a statistical technique first used in anger during the Second World War.
The Allies used it to convert observations from the field into reliable estimates of how many tanks the Nazis had at their disposal; now it’s turned against the PlugX crew.
And Szappi describes how, and why, the malware carries around with it a pirated copy of a legitimate, digitally-signed application (this one is from Chinese social media outfit Tencent) to help it do its dirty work.
A fascinating paper, well worth reading: clearly written, interesting, and informative.