Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент PlugX
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
PlugX
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

PlugX

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)
ID: S0013
Associated Software: DestroyRAT Kaba Korplug Sogu Thoper TVT
Type: MALWARE
Platforms: Windows
Version: 3.0
Created: 31 May 2017
Last Modified: 15 Apr 2022

Associated Software Descriptions
Name Description
DestroyRAT (Citation: CIRCL PlugX March 2013)
Kaba (Citation: FireEye Clandestine Fox Part 2)
Korplug (Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013)
Sogu (Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)
Thoper (Citation: Novetta-Axiom)
TVT (Citation: Novetta-Axiom)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PlugX can be configured to use HTTP for command and control.(Citation: Dell TG-3390)(Citation: Proofpoint TA416 Europe March 2022)
.004 Application Layer Protocol: DNS

PlugX can be configured to use DNS for command and control.(Citation: Dell TG-3390)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PlugX adds Run key entries in the Registry to establish persistence.(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: CIRCL PlugX March 2013)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PlugX allows actors to spawn a reverse shell on a victim.(Citation: Dell TG-3390)(Citation: CIRCL PlugX March 2013)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.(Citation: CIRCL PlugX March 2013)(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Proofpoint ZeroT Feb 2017)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PlugX can use RC4 encryption in C2 communications.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

PlugX can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

PlugX has the ability to use DLL search order hijacking for installation on targeted systems.(Citation: Proofpoint TA416 Europe March 2022)
.002 Hijack Execution Flow: DLL Side-Loading

PlugX has used DLL side-loading to evade anti-virus.(Citation: FireEye Clandestine Fox Part 2)(Citation: Dell TG-3390)(Citation: Stewart 2014)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Palo Alto PlugX June 2017)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)

Enterprise T1056 .001 Input Capture: Keylogging

PlugX has a module for capturing keystrokes per process including window titles.(Citation: CIRCL PlugX March 2013)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."(Citation: FireEye APT10 April 2017)
.005 Masquerading: Match Legitimate Name or Location

PlugX has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022)

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".(Citation: Unit42 PlugX June 2017)
Enterprise T1102 .001 Web Service: Dead Drop Resolver

PlugX uses Pastebin to store C2 addresses.(Citation: Palo Alto PlugX June 2017)

Groups That Use This Software
ID Name References
G0096 APT41

(Citation: FireEye APT41 Aug 2019)

G0022 APT3

(Citation: FireEye Clandestine Fox Part 2)

G0126 Higaisa

(Citation: Malwarebytes Higaisa 2020)

G0027 Threat Group-3390

(Citation: Dell TG-3390) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Trend Micro DRBControl February 2020) (Citation: Profero APT27 December 2020)

G0093 GALLIUM

(Citation: Cybereason Soft Cell June 2019)

G0001 Axiom

(Citation: Cisco Group 72) (Citation: Novetta-Axiom)

G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: DOJ APT10 Dec 2018) (Citation: FireEye APT10 April 2017)

G0062 TA459

(Citation: Proofpoint TA459 April 2017)

G0017 DragonOK

(Citation: New DragonOK)

G0044 Winnti Group

(Citation: Kaspersky Winnti April 2013)

G0129 Mustang Panda

(Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Avira Mustang Panda January 2020) (Citation: Recorded Future REDDELTA July 2020) (Citation: Proofpoint TA416 Europe March 2022)

References

  1. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  2. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  3. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  4. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
  5. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  6. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  7. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  8. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  9. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  10. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
  11. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  12. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  13. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  14. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  15. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  16. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  17. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  18. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  19. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  20. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  21. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  22. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  23. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  24. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  25. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  26. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  27. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  28. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  29. Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.