BKDR_PLUGX

January 29, 2015
 ALIASES:

Microsoft: Plugx; Symantec: Korplug; Sophos: PlugX; Fortinet: PLUGX; Ikarus: Plugx; Eset: Korplug

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Spammed via email

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

PlugX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:

  • Copying, creating, modifying, and opening files

  • Logging keystrokes and active windows

  • Logging off the current user, restarting/rebooting the affected system

  • Creating, modifying and/or deleting registry values

  • Capturing video or screenshots of user activity

  • Setting connections

  • Terminating processes

Apart from compromising system security, PlugX’s routines could lead to further information theft if systems are left unchecked. PlugX also gives attackers complete control over the system.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Steals information, Logs keystrokes

Installation

This backdoor drops the following non-malicious files:

  • %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmart.exe
  • %AppDataLocal%\VirtualStore\Windows\system32\NvSmart.exe
  • %ProgramData%\Gf\NvSmart.exe
  • %ProgramData%\SxS\NvSmart.exe
  • %ProgramData%\SxS\rc.exe
  • %ProgramData%\SxSi\rc.exe
  • %System Root%\Users\All Users\Gf\NvSmart.exe
  • %System Root%\Users\All Users\SxS\NvSmart.exe
  • %System Root%\Users\All Users\SxS\rc.exe
  • %System Root%\Users\All Users\SxSi\rc.exe
  • %System Root%\Users\All Users\UdpGf\NvSmart.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

  • %ProgramData%\Gf
  • %ProgramData%\SxS
  • %ProgramData%\SxSi
  • %System Root%\Users\All Users\Gf
  • %System Root%\Users\All Users\SxS
  • %System Root%\Users\All Users\SxSi
  • %System Root%\Users\All Users\UdpGf

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Description = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
DisplayName = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ImagePath = ""%ProgramData%\Gf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Description = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
DisplayName = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ImagePath = ""%ProgramData%\SxS\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
DisplayName = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ImagePath = ""%ProgramData%\UdpGf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Description = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
DisplayName = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ImagePath = "%ProgramData%\SxSi\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Type = "110"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\FAST
CLSID = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
CLSID = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\FAST

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST

Dropping Routine

This backdoor drops the following files:

  • %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmartMax.dll
  • %AppDataLocal%\VirtualStore\Program Files\Common Files\boot.ldr
  • %AppDataLocal%\VirtualStore\Windows\system32\NvSmartMax.dll
  • %AppDataLocal%\VirtualStore\Windows\system32\boot.ldr
  • %ProgramData%\Gf\NvSmartMax.dll
  • %ProgramData%\Gf\boot.ldr
  • %ProgramData%\SxS\NvSmartMax.dll
  • %ProgramData%\SxS\rc.hlp
  • %ProgramData%\SxS\rcdll.dll
  • %ProgramData%\SxSi\rc.hlp
  • %ProgramData%\SxSi\rcdll.dll
  • %System Root%\Users\All Users\Gf\NvSmartMax.dll
  • %System Root%\Users\All Users\Gf\boot.ldr
  • %System Root%\Users\All Users\SxS\NvSmartMax.dll
  • %System Root%\Users\All Users\SxS\rc.hlp
  • %System Root%\Users\All Users\SxS\rcdll.dll
  • %System Root%\Users\All Users\SxSi\rc.hlp
  • %System Root%\Users\All Users\SxSi\rcdll.dll
  • %System Root%\Users\All Users\UdpGf\NvSmart.usr
  • %System Root%\Users\All Users\UdpGf\NvSmartMax.dll

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
  • {BLOCKED}y.{BLOCKED}-show.org
  • {BLOCKED}bb.{BLOCKED}s.in
  • {BLOCKED}l.{BLOCKED}2.us:80
  • {BLOCKED}sUpdated.{BLOCKED}n.com
  • http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00108490
  • http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00133f60
  • http://{BLOCKED}ntral.{BLOCKED}ind.net/update?id=00133f60
  • http://{BLOCKED}lasia.{BLOCKED}focus.com:53/update?id=00108150
  • http://{BLOCKED}l.{BLOCKED}huu.com/update?id=00133fa0
  • http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
  • http://{BLOCKED}ia.{BLOCKED}focus.com:8080/update?id=00108150
  • http://{BLOCKED}ia.{BLOCKED}ind.net:8080/update?id=00133f60
  • http://{BLOCKED}n.{BLOCKED}huu.com:53/update?id=00133fa0
  • http://{BLOCKED}r.{BLOCKED}5.com:8080/update?id=00108108
  • http://{BLOCKED}ul.{BLOCKED}c.net/update?id=00108150
  • http://{BLOCKED}k.{BLOCKED}3.com:53/update?id=00108cf0
  • http://{BLOCKED}a.{BLOCKED}focus.com:53/update?id=00133f60
  • http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08

Related Malware