Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

PlugX Malware Adopts New Tactic in India Attack Campaign

The minds behind PlugX have added a new twist to the malware to make it stealthier.

The minds behind PlugX have added a new twist to the malware to make it stealthier.

According to Sophos, the malware is now hiding the malicious payload in Windows registry instead of writing the file on disk. The change underscores the continued development of the malware, which has been linked to a number of advanced persistent threat (APTs) campaigns. In recent months, a PlugX variant has also been spotted with a peer-to-peer communication channel as well.

“Malware hiding components in registry is not a revolutionary idea; we have seen that before,” Sophos researcher Gabor Szappanos noted in a new paper on the malware. “Most notably the recent Poweliks Trojan…stored the active script component in the registry. Even some of the APT malware families, like Poison or Frethog, occasionally used the registry as storage for the main payload. There were precursors even within the criminal groups distributing PlugX: they used this method back in 2013 in a couple of cases for storing the Omdork (a.k.a. Sybin) payload. So it was only a question of when the same would happen to the main PlugX backdoor.”

The first sample using the tactic was distributed at the end of January. Based on the version dates, the development of these new variants happened earlier that month, he told SecurityWeek.

According to Sophos, the new variants seen by the firm were distributed using two distinguishable classes of exploited carrier documents – though in both cases the CVE-2012-0158 exploit was used.

“For the first type the distribution was part of a longer campaign, targeting India,” according to the report. “This campaign spanned several months, from September 2014 to February 2015. During this time span different variants of the PlugX backdoor were observed as the final payload. Apparently, this was an ongoing operation, where the actors behind it used the latest available versions, as they came out of the factory. Additionally, a few affiliated malware families were distributed to the targets. The samples of the second type showed up the first week of February. At this point we don’t have conclusive information about the scope and target of the campaign that used these samples.”

In its recent Global Threats Report, Crowdstrike noted that the use of the PlugX tool continued to gain steam in 2014 with multiple attack groups using it against a variety of sectors – particularly the science, technology, government and defense industries. In November, researchers at ESET said a threat group was using the malware to target military officials and diplomats in Russia, Afghanistan and other countries, and in January the malware was spotted being used in attacks against online gamers in Asia.

The full Sophos report can be read here. 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.