From the Labs: PlugX – the next generation

X. Image courtesy of Shutterstock

We’ve covered the PlugX backdoor here on Naked Security several times in the past.

There were a few variations in the distribution and deployment of this backdoor, but the end result was always the same.

X. Image courtesy of ShutterstockAt the end of 2013, a new variation of the PlugX backdoor appeared on the scene. Our first encounter with it at SophosLabs was in a distribution campaign which focused on exploiting the popular Japanese word processor Ichitaro.

While looking into this, we saw a single sample that broke the usual scheme. This one didn’t use a signed executable for cover, not did it drop the payload into the infected system as a separate file.

Instead, it decrypted and loaded it into the memory, without hitting the disk.

After finding a handful of other samples that used the same technique, I decided to investigate it further.

In this new paper, I leave the overall operation of the PlugX backdoor behind and take a deeper look at this new generation.

Download the paper


Image of X courtesy of Shutterstock.