The PlugX malware factory revisited: introducing “Smoaler”


Popular SophosLabs writer Gabor Szappanos is back with more insights into the Tibetan-themed Advanced Persistent Threat (APT) scene.

Last time, he looked at Version 6 of PlugX, a malware family that keeps evolving as the criminals in charge of it churn out new variants.

This time, he looks at Smoaler, the name given to a new cousin of the PlugX family that starts off much the same as what we’ve seen before, before branching off in new ways.

Most importantly, Szappi reminds us all why prevention is better than cure.

You can’t predict what a Smoaler infection might do in advance, because the final payload is downloaded only at the last minute.

Worse still, it never exists as a fully-formed program, but lives only in memory.

This leaves you with a Catch-22: if you’re infected, you’ll want to kill the infectious process as soon as possible, but if you kill the infected process, you may lose an active malware sample that no-one has seen before.

Once again, a well-written paper from Szappi: clear, technically sound without being incomprehensible, interesting, and informative.


Download now