The PlugX malware factory revisited: introducing "Smoaler"

Filed Under: Botnet, Featured, Malware, Security threats, Vulnerability

Popular SophosLabs writer Gabor Szappanos is back with more insights into the Tibetan-themed Advanced Persistent Threat (APT) scene.

Last time, he looked at Version 6 of PlugX, a malware family that keeps evolving as the criminals in charge of it churn out new variants.

This time, he looks at Smoaler, the name given to a new cousin of the PlugX family that starts off much the same as what we've seen before, before branching off in new ways.

Most importantly, Szappi reminds us all why prevention is better than cure.

You can't predict what a Smoaler infection might do in advance, because the final payload is downloaded only at the last minute.

Worse still, it never exists as a fully-formed program, but lives only in memory.

This leaves you with a Catch-22: if you're infected, you'll want to kill the infectious process as soon as possible, but if you kill the infected process, you may lose an active malware sample that no-one has seen before.

Once again, a well-written paper from Szappi: clear, technically sound without being incomprehensible, interesting, and informative.


Download now

, , , , , , ,

You might like

One Response to The PlugX malware factory revisited: introducing "Smoaler"

  1. Guest · 813 days ago

    Good read, thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog