In a recent blog post, AlienVault researcher Jaime Blasco identified a man in China who appears to be the developer of the new PlugX remote access Trojan (RAT).
“AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence,” writes TechWeekEurope’s Max Smolaks. “PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer. The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations.”
“After analyzing some of the debug paths used in the PlugX Trojan, researchers noticed that some of them contained a username: whg,” writes Softpedia’s Eduard Kovacs. “Similar debug paths have been identified in the binaries of an application called SockMon. A search on cnasm.com … led investigators to the [email protected] email address, which back in 2000 was utilized to register a domain. The physical address associated with the domain is the one of a security company from China. Finally, a different search for whg0001 pointed experts to the CSDN profile of an individual who describes himself as a ‘virus expert, proficient in assembly.'”
“On my.csdn.net they even found a photo of whg0001,” Infosecurity reports. “Finally, AlienVault found another PlugX debug path pointing to a Baidu.com page ‘that seems to be used as a test or to check connectivity;’ but displaying the same photo of whg0001 that they had found on my.csdn.net. ‘With the information we have, we can say that this guy is behind the active development of the PlugX RAT,’ concludes AlienVault. We now have his email address and his photograph — his real name will surely follow.”