Report: PlugX Is RAT of Choice for Nation States

Nation-state backed threat adversaries have their own preferences when it comes to malware and attack tools. Details on which tools nation-state threat actors use are included in the 2014 CrowdStrike Global Threat Intel report that was released this week. Among its findings: The PlugX Remote Access Tool (RAT) is the most observed malware variant used in such attacks.

“PlugX is pretty easy to use,” Dmitri Alperovitch, co-founder and CTO of CrowdStrike, told eSecurityPlanet. “It was initially used by Chinese threat adversaries that led the development of the tool.”

The use of PlugX has proliferated across multiple groups of threat adversaries that CrowdStrike tracks, Alperovitch noted. Originally PlugX was just used by several groups in China. Alperovitch expects that its use has grown as individuals have moved across different military units in China and as a result of hackers sharing their success stories.

How PlugX Works

“PlugX has existed in some form since 2008 and has evolved over time to offer new capabilities and control mechanisms, supported by an active development program,” the CrowdStrike report states. “It provides an attacker with a range of functionality including the ability to log keystrokes; modify and copy files; capture screenshots or video of user activity; and perform administrative tasks such as terminating processes, logging off users and rebooting victim machines. “

PlugX also includes command-and-control (C2) capabilities. CrowdStrike’s report notes that PlugX’s C2 capabilities include a range of options that enable the RAT to stay hidden and undetected on networks.

From a delivery perspective, PlugX infects users by way of a targeted spear phishing attack that includes a malicious document attachment. CrowdStrike found that in many cases, the infected document aims to exploit the CVE-2012-0158 vulnerability which was patched in 2012.

The PlugX RAT isn’t a single file, but rather is a multi-stage exploit on the user device that drops three different files. According to CrowdStrike’s analysis, the first dropped file is a legitimate digitally signed application, the second is an encrypted file containing the PlugX payload, and the third is a malicious, dynamically-linked library (DLL) that is used to load the malware when the legitimate application is executed.

The multi-level approach used by PlugX helps the tool avoid various forms of threat detection, including many common anti-virus software technologies.

Exploit Kit Activity

Outside of the context of nation-state threat actors, the Angler exploit kit has gained notoriety over the course of the past year. Alperovitch explained that while PlugX is used by nation-state threat adversaries in China, Angler is typically used by criminal groups to create botnets and steal financial information.

Nation-state threat groups sometimes use exploit kits like Angler as well, he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles