The minds behind PlugX have added a new twist to the malware to make it stealthier.
According to Sophos, the malware is now hiding the malicious payload in Windows registry instead of writing the file on disk. The change underscores the continued development of the malware, which has been linked to a number of advanced persistent threat (APTs) campaigns. In recent months, a PlugX variant has also been spotted with a peer-to-peer communication channel as well.
“Malware hiding components in registry is not a revolutionary idea; we have seen that before,” Sophos researcher Gabor Szappanos noted in a new paper on the malware. “Most notably the recent Poweliks Trojan…stored the active script component in the registry. Even some of the APT malware families, like Poison or Frethog, occasionally used the registry as storage for the main payload. There were precursors even within the criminal groups distributing PlugX: they used this method back in 2013 in a couple of cases for storing the Omdork (a.k.a. Sybin) payload. So it was only a question of when the same would happen to the main PlugX backdoor.”
The first sample using the tactic was distributed at the end of January. Based on the version dates, the development of these new variants happened earlier that month, he told SecurityWeek.
According to Sophos, the new variants seen by the firm were distributed using two distinguishable classes of exploited carrier documents – though in both cases the CVE-2012-0158 exploit was used.
“For the first type the distribution was part of a longer campaign, targeting India,” according to the report. “This campaign spanned several months, from September 2014 to February 2015. During this time span different variants of the PlugX backdoor were observed as the final payload. Apparently, this was an ongoing operation, where the actors behind it used the latest available versions, as they came out of the factory. Additionally, a few affiliated malware families were distributed to the targets. The samples of the second type showed up the first week of February. At this point we don’t have conclusive information about the scope and target of the campaign that used these samples.”
In its recent Global Threats Report, Crowdstrike noted that the use of the PlugX tool continued to gain steam in 2014 with multiple attack groups using it against a variety of sectors – particularly the science, technology, government and defense industries. In November, researchers at ESET said a threat group was using the malware to target military officials and diplomats in Russia, Afghanistan and other countries, and in January the malware was spotted being used in attacks against online gamers in Asia.
The full Sophos report can be read here.