Unmasking the Enigma: A Historical Dive into the World of PlugX Malware

The report titled "Unmasking the Enigma: A Historical Dive into the World of PlugX Malware" provides an in-depth look at the PlugX malware, its tactics, and impact. Here's a detailed overview based on the available information:

• Overview of PlugX Malware: PlugX has been a consistent threat in the cybersecurity landscape, known for its covert operations and ability to evade detection. It's been involved in cyber espionage, targeted attacks, and has continually challenged security experts.
• Splunk Threat Research Team's Analysis: The Splunk Threat Research Team (STRT) conducted a comprehensive analysis of a PlugX variant, exploring its payload, tactics, and overall impact on the digital realm. They delved into the technical aspects of PlugX, including its side-loading technique and the execution of malicious code in compromised hosts.

Technical Aspects of PlugX Malware:

• Payload Extraction and Decryption: PlugX uses a side-loading technique, where initiating a legitimate 'msbtc.exe' triggers the loading of 'version.dll'. This is crucial for the decryption of 'msbtc.dat' using an RC4 algorithm. The decrypted data includes critical headers essential for further decryption and decompression of the final payload.
• Second Layer of Decryption: The malware employs XOR operations and basic mathematical calculations to create a compressed layer. This is then decompressed using the 'RtlDecompressBuffer()' API, leading to the creation of a headless PlugX payload variant, ready for injection into targeted processes.
• Key Features of PlugX Malware: The analysis highlighted several features of PlugX, such as process masquerading, system information discovery, firewall rule manipulation, service creation and deletion, file dropping, user impersonation, and keylogger and process monitoring capabilities.

Indicators of Compromise (IoCs): The report provided specific IoCs related to this variant of PlugX:

Files and their SHA256 hashes:

• msbtc.cfg (416 bytes, SHA256: 66f9cc42c27cf689911f6ba3e24ad9cbec6fa3066a50c448d4cbf5d8a66d2eb5)
• msbtc.dat (697243 bytes, SHA256: f991c13a24df578a9f31741a263dc1405eac660d4e749465991bac68eccdc490)
• msbtc.exe (310384 bytes, SHA256: fca2fad3466fefebd6df133d48485374ca647dedcc2ef9ba52e7d0ccdbf91000)
• VERSION.dll (230912 bytes, SHA256: 64c5c9732a97f9b088e63173cb8781cae33d29934fdbe3652393394c4188d15c).

This comprehensive look at the PlugX malware provides valuable insights into its complexity and evasive nature, underscoring the continuous need for advanced cybersecurity measures and vigilant threat monitoring.

IoC

SHA256

• fca2fad3466fefebd6df133d48485374ca647dedcc2ef9ba52e7d0ccdbf91000
• f991c13a24df578a9f31741a263dc1405eac660d4e749465991bac68eccdc490
• 66f9cc42c27cf689911f6ba3e24ad9cbec6fa3066a50c448d4cbf5d8a66d2eb5
• 64c5c9732a97f9b088e63173cb8781cae33d29934fdbe3652393394c4188d15c

REFERENCES

• https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html
• https://otx.alienvault.com/pulse/6579b8bee5b83654718d035a

TAGS

plugx, keylogger