PlugX

Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2023. 

Analysis

PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online and may be accessible to a broader range of adversaries. It is also tracked as Destroy RAT, Kaba, Korplug, Sogu, and TIGERPLUG.

PlugX is a modular malware with multiple capabilities. It calls back to a command and control (C2) server, gathers machine information, performs screen captures, and manages services and processes. Additionally, it looks to obfuscate its activities by performing actions like modifying the characteristics of folders to hide them.

In 2022, Red Canary observed PlugX in several industries, including manufacturing, construction, insurance, and international nonprofits. In multiple infections throughout the year, USB devices containing LNK files were likely used for initial access, resulting in a registry artifact of execution similar to \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[redacted_GUID]}\Count\Q:\Erzbinoyr Qvfx(3TO).yax, which decodes from ROT13 to D:\Removable Disk(3GB).lnk.

According to MITRE ATT&CK, mitigations for Technique T1574.001 – DLL Search Order Hijacking include disallowing the loading or remote DLLs, which is included by default in Windows Server 2012 and later. Additionally, the use of Safe DLL Search Mode forces a search for system DLLs in directories with greater restrictions (e.g., %SYSTEMROOT%) to be used before local directory DLLs (e.g., a user’s home directory).

When responding to a PlugX infection, a combination of editing the Windows Registry, removing relevant files (some of which may be hidden and/or in RECYCLER.BIN), and removing relevant folders is required.

Detection opportunities

PlugX abuses DLL search order hijacking, a technique whereby an adversary games the DLL search order process of the Windows operating system to execute malicious DLLs. While some applications will specify the location of the DLL it wants to run, if an application or executable does not specify the location of the DLL it wants to load and the DLL has not been loaded into memory, then there’s a specific order of operations that an application or executable will follow to locate the DLL. In general, the process calling the DLL will search in the directory it’s executing from before iterating through other locations in a predefined order to locate the DLL in question. This provides an opportunity for PlugX to insert a malicious DLL before a legitimate DLL is executed.

PlugX has been observed leveraging the legitimate Avast antivirus file wsc_proxy.exe to begin the process of DLL search order hijacking that results in PlugX malware installation. Relocation of this binary outside of Program Files will be highly unusual, although this could be caused by an administrator installing the application in a custom path.