The notorious remote access Trojan (RAT) known as PlugX (Korplug) has been used by a threat group to target users in Afghanistan, Russia, Tajikistan, Kazakhstan and Kyrgyzstan.
PlugX has been observed in numerous targeted attacks since 2012, particularly in campaigns launched by Chinese advanced persistent threat (APT) actors.
While monitoring PlugX infections, researchers at ESET noticed that some of the samples connected to the same command and control (C&C) domains. By analyzing the C&C domains, experts managed to identify the targets and determined that the attackers’ goal is to harvest intelligence information on Russian, Afghan and Tajik military and diplomats. The campaign has been active since at least June 2014.
According to the security company, the threat is distributed via spear phishing emails that carry maliciously crafted RTF documents and self-extracting RAR archives that have a .scr extension.
The documents are designed to exploit Microsoft Word vulnerabilities in an effort to install the malware on targeted systems. Experts have spotted two exploits: one for an older Word flaw (CVE-2012-0158), and one for a vulnerability patched by Microsoft in April (CVE-2014-1761).
CVE-2014-1761 has been exploited in the wild since at least March 2014 in numerous high-profile campaigns, including ones leveraging BlackEnergy, MiniDuke and Sednit. However, in the attacks analyzed by ESET, the exploit doesn’t work correctly.
A clever technique used by the attackers involves a legitimate executable from Kaspersky that loads the malware into memory.
“The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion,” ESET’s Robert Lipovsky wrote in a blog post.
An interesting aspect of the campaign is that PlugX is not the only piece of malware identified on infected machines. Researchers have identified other RATs, keyloggers and file stealers as well. One of them is DarkStRAT, a piece of malware that’s capable of executing shell commands, managing processes and services, and transferring files between the C&C and the infected host.
Experts have also spotted a file stealer that harvests files from fixed and removable drives, and network shares. The threat is also capable of collecting passwords, account and proxy information, and history of visited URLs from applications such as Internet Explorer, Firefox, and Outlook. Samples from both pieces of malware contain a digital signature associated with a company called “Nanning weiwu Technology co.,ltd.”
“Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish,” Lipovsky said.
In August, FireEye revealed the details of a campaign called “Poisoned Hurricane,” which targeted organizations in the United States and Asia. In this operation, the attackers configured PlugX to connect to domains such as adobe.com and outlook.com. Researchers discovered that the malware resolved DNS lookups through the nameservers of a company that allowed anyone to create a free account with its hosted DNS service.
