PLUGX
Microsoft: Plugx; Symantec: Korplug; Sophos: PlugX; Fortinet: PLUGX; Ikarus: Plugx; Eset: Korplug
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.
PlugX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:
- Copying, creating, modifying, and opening files
- Logging keystrokes and active windows
- Logging off the current user, restarting/rebooting the affected system
- Creating, modifying and/or deleting registry values
- Capturing video or screenshots of user activity
- Setting connections
- Terminating processes
Apart from compromising system security, PlugX’s routines could lead to further information theft if systems are left unchecked. PlugX also gives attackers complete control over the system.
TECHNICAL DETAILS
Installation
This backdoor drops the following non-malicious files:
- %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmart.exe
- %AppDataLocal%\VirtualStore\Windows\system32\NvSmart.exe
- %ProgramData%\Gf\NvSmart.exe
- %ProgramData%\SxS\NvSmart.exe
- %ProgramData%\SxS\rc.exe
- %ProgramData%\SxSi\rc.exe
- %System Root%\Users\All Users\Gf\NvSmart.exe
- %System Root%\Users\All Users\SxS\NvSmart.exe
- %System Root%\Users\All Users\SxS\rc.exe
- %System Root%\Users\All Users\SxSi\rc.exe
- %System Root%\Users\All Users\UdpGf\NvSmart.exe
(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
It creates the following folders:
- %ProgramData%\Gf
- %ProgramData%\SxS
- %ProgramData%\SxSi
- %System Root%\Users\All Users\Gf
- %System Root%\Users\All Users\SxS
- %System Root%\Users\All Users\SxSi
- %System Root%\Users\All Users\UdpGf
(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
Autostart Technique
This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Description = "Gf"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
DisplayName = "Gf"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ImagePath = ""%ProgramData%\Gf\NvSmart.exe" 200 0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Description = "SxS"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
DisplayName = "SxS"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ImagePath = ""%ProgramData%\SxS\rc.exe" 200 0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
DisplayName = "UdpGf"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ImagePath = ""%ProgramData%\UdpGf\NvSmart.exe" 200 0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Description = "SxSi"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
DisplayName = "SxSi"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ImagePath = "%ProgramData%\SxSi\rc.exe" 200 0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Type = "110"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\FAST
CLSID = "{hex values}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
CLSID = "{hex values}"
It adds the following registry keys as part of its installation routine:
HKEY_CLASSES_ROOT\FAST
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
Dropping Routine
This backdoor drops the following files:
- %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmartMax.dll
- %AppDataLocal%\VirtualStore\Program Files\Common Files\boot.ldr
- %AppDataLocal%\VirtualStore\Windows\system32\NvSmartMax.dll
- %AppDataLocal%\VirtualStore\Windows\system32\boot.ldr
- %ProgramData%\Gf\NvSmartMax.dll
- %ProgramData%\Gf\boot.ldr
- %ProgramData%\SxS\NvSmartMax.dll
- %ProgramData%\SxS\rc.hlp
- %ProgramData%\SxS\rcdll.dll
- %ProgramData%\SxSi\rc.hlp
- %ProgramData%\SxSi\rcdll.dll
- %System Root%\Users\All Users\Gf\NvSmartMax.dll
- %System Root%\Users\All Users\Gf\boot.ldr
- %System Root%\Users\All Users\SxS\NvSmartMax.dll
- %System Root%\Users\All Users\SxS\rc.hlp
- %System Root%\Users\All Users\SxS\rcdll.dll
- %System Root%\Users\All Users\SxSi\rc.hlp
- %System Root%\Users\All Users\SxSi\rcdll.dll
- %System Root%\Users\All Users\UdpGf\NvSmart.usr
- %System Root%\Users\All Users\UdpGf\NvSmartMax.dll
(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
- {BLOCKED}y.{BLOCKED}-show.org
- {BLOCKED}bb.{BLOCKED}s.in
- {BLOCKED}l.{BLOCKED}2.us:80
- {BLOCKED}sUpdated.{BLOCKED}n.com
- http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00108490
- http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00133f60
- http://{BLOCKED}ntral.{BLOCKED}ind.net/update?id=00133f60
- http://{BLOCKED}lasia.{BLOCKED}focus.com:53/update?id=00108150
- http://{BLOCKED}l.{BLOCKED}huu.com/update?id=00133fa0
- http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
- http://{BLOCKED}ia.{BLOCKED}focus.com:8080/update?id=00108150
- http://{BLOCKED}ia.{BLOCKED}ind.net:8080/update?id=00133f60
- http://{BLOCKED}n.{BLOCKED}huu.com:53/update?id=00133fa0
- http://{BLOCKED}r.{BLOCKED}5.com:8080/update?id=00108108
- http://{BLOCKED}ul.{BLOCKED}c.net/update?id=00108150
- http://{BLOCKED}k.{BLOCKED}3.com:53/update?id=00108cf0
- http://{BLOCKED}a.{BLOCKED}focus.com:53/update?id=00133f60
NOTES:
It saves the gathered information as the following:
- %ProgramData%\Gf\kl.log
- %ProgramData%\SxS\bug.log
- %ProgramData%\SxS\kl.log
- %ProgramData%\SxS\xxx.xxx
- %ProgramData%\SxSi\kl.log
- %System Root%\Users\All Users\Gf\kl.log
- %System Root%\Users\All Users\SxS\bug.log
- %System Root%\Users\All Users\SxS\kl.log
- %System Root%\Users\All Users\SxS\xxx.xxx
- %System Root%\Users\All Users\SxSi\kl.log