Sophos Cloud Optix
We’ve covered the PlugX backdoor here on Naked Security several times in the past.
- Inside the “PlugX” malware – a fascinating journey into a malware factory
- The PlugX malware factory revisited: introducing “Smoaler”
- New PlugX malware variant takes aim at Japan
There were a few variations in the distribution and deployment of this backdoor, but the end result was always the same.
At the end of 2013, a new variation of the PlugX backdoor appeared on the scene. Our first encounter with it at SophosLabs was in a distribution campaign which focused on exploiting the popular Japanese word processor Ichitaro.
While looking into this, we saw a single sample that broke the usual scheme. This one didn’t use a signed executable for cover, not did it drop the payload into the infected system as a separate file.
Instead, it decrypted and loaded it into the memory, without hitting the disk.
After finding a handful of other samples that used the same technique, I decided to investigate it further.
In this new paper, I leave the overall operation of the PlugX backdoor behind and take a deeper look at this new generation.
Download the paper
Image of X courtesy of Shutterstock.
This variant is not new… sideloading and the use of XV marker .etc is old news.
Like the paper says: these variants started to appear at the end of last year, according to the time stamp, they were developed around the end of last summer.
We noticed them back then, but did not analyse deeper until we had more samples to make clear that it is a consistent new development.