PlugX
Associated Software Descriptions |
|
Name | Description |
---|---|
DestroyRAT | (Citation: CIRCL PlugX March 2013) |
Kaba | (Citation: FireEye Clandestine Fox Part 2) |
Korplug | (Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013) |
Sogu | (Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013) |
Thoper | (Citation: Novetta-Axiom) |
TVT | (Citation: Novetta-Axiom) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PlugX can be configured to use HTTP for command and control.(Citation: Dell TG-3390)(Citation: Proofpoint TA416 Europe March 2022) |
.004 | Application Layer Protocol: DNS |
PlugX can be configured to use DNS for command and control.(Citation: Dell TG-3390) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
PlugX adds Run key entries in the Registry to establish persistence.(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: CIRCL PlugX March 2013) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
PlugX allows actors to spawn a reverse shell on a victim.(Citation: Dell TG-3390)(Citation: CIRCL PlugX March 2013) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.(Citation: CIRCL PlugX March 2013)(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Proofpoint ZeroT Feb 2017) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
PlugX can use RC4 encryption in C2 communications.(Citation: Proofpoint TA416 Europe March 2022) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
PlugX can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoint TA416 Europe March 2022) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
PlugX has the ability to use DLL search order hijacking for installation on targeted systems.(Citation: Proofpoint TA416 Europe March 2022) |
.002 | Hijack Execution Flow: DLL Side-Loading |
PlugX has used DLL side-loading to evade anti-virus.(Citation: FireEye Clandestine Fox Part 2)(Citation: Dell TG-3390)(Citation: Stewart 2014)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Palo Alto PlugX June 2017)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
PlugX has a module for capturing keystrokes per process including window titles.(Citation: CIRCL PlugX March 2013) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."(Citation: FireEye APT10 April 2017) |
.005 | Masquerading: Match Legitimate Name or Location |
PlugX has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022) |
||
Enterprise | T1127 | .001 | Trusted Developer Utilities Proxy Execution: MSBuild |
A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".(Citation: Unit42 PlugX June 2017) |
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
PlugX uses Pastebin to store C2 addresses.(Citation: Palo Alto PlugX June 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1034 | Daggerfly |
(Citation: Symantec Daggerfly 2023) |
G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) (Citation: apt41_mandiant) |
G0022 | APT3 |
(Citation: FireEye Clandestine Fox Part 2) |
G0126 | Higaisa |
(Citation: Malwarebytes Higaisa 2020) |
G0027 | Threat Group-3390 |
(Citation: SecureWorks BRONZE UNION June 2017) (Citation: Dell TG-3390) (Citation: Profero APT27 December 2020) (Citation: Trend Micro DRBControl February 2020) (Citation: Nccgroup Emissary Panda May 2018) |
G1021 | Cinnamon Tempest |
(Citation: Dell SecureWorks BRONZE STARLIGHT Profile) |
G0093 | GALLIUM |
(Citation: Cybereason Soft Cell June 2019) |
G0001 | Axiom |
(Citation: Cisco Group 72) (Citation: Novetta-Axiom) |
G0045 | menuPass |
(Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018) (Citation: PWC Cloud Hopper Technical Annex April 2017) |
G0062 | TA459 |
(Citation: Proofpoint TA459 April 2017) |
G1014 | LuminousMoth |
(Citation: Bitdefender LuminousMoth July 2021) (Citation: Kaspersky LuminousMoth July 2021) |
G0017 | DragonOK |
(Citation: New DragonOK) |
G0044 | Winnti Group |
(Citation: Kaspersky Winnti April 2013) |
G0129 | Mustang Panda |
(Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Avira Mustang Panda January 2020) (Citation: Recorded Future REDDELTA July 2020) (Citation: Proofpoint TA416 Europe March 2022) |
References
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
- Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
- SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
- Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
- Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
- Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.