loader gif

PlugX RAT: The tale of the RAT that has been used in various cyber-espionage campaigns

PlugX RAT: The tale of the RAT that has been used in various cyber-espionage campaigns
  • PlugX RAT has been used in several attacks launched by Chinese cyber-espionage group APT10.
  • Its capabilities include keystroke logging and performing port mapping, capturing screenshots and videos, creating, executing, renaming, modifying, and deleting files, and restarting or rebooting systems.

PlugX is a Remote Access Trojan (RAT) which was first spotted in 2012, since then it has been used in several attacks launched by Chinese cyber-espionage group APT10. PlugX RAT primarily targets government entities and is distributed via phishing emails, spam campaigns, and spear-phishing campaigns.

The attack starts with a phishing email containing a malicious attachment, usually, a specially crafted malicious document that exploits either a vulnerability in Adobe Acrobat Reader or Microsoft Office.

Backdoor modules

This RAT includes several backdoor modules,

  • XPlugDisk
  • XPlugKeyLogger
  • XPlugNethood
  • XPlugOption
  • XPlugPortMap
  • XPlugProcess
  • XPlugRegedit
  • XPlugScreen
  • XPlugService
  • XPlugShell
  • XPlugSQL
  • XPlugTelnet

Capabilities

  • Its capabilities include creating, executing, copying, renaming, modifying, moving, and deleting files
  • Getting drive information and file information
  • Restart or Reboot system
  • Enumerating and terminating process
  • Keystroke logging and performing port mapping
  • Capturing screenshots and videos
  • Starting, enumerating, modifying, and deleting services
  • Performing a remote shell, executing a SQL statement, and hosting a Telnet server.

PlugX targeting Afghan and Russian Military

In 2014, PlugX was used in an attack campaign targeting intelligence information on Russian, Afghan and Tajik military and diplomats. PlugX was distributed via spear-phishing emails that included maliciously crafted RTF documents and self-extracting RAR archives designed to exploit Microsoft Word vulnerabilities in order to install the malware on targeted systems.

7.93 million user records from Japanese Travel agency compromised

In July 2016, a Japanese travel agency, JTB Corp, suffered a data breach compromising almost 7.93 million user records. The data breach was a result of an employee opening a malicious document which he received via a phishing email. The malicious document included the PlugX RAT, which installed the Elirks backdoor trojan, that is designed to steal user information.

Military and aerospace interests in Russia and Belarus targeted

Chinese cyber-espionage group had used PlugX RAT to target military and aerospace interests in Russia and Belarus. In this campaign, the threat group had leveraged ZeroT dropper malware to install the PlugX remote access Trojan (RAT) and had added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.

Pharmaceutical organizations and video game firms targeted

The same Chinese threat group was spotted using the infamous PlugX malware to target pharmaceutical organizations in Vietnam in order to steal drug formulas and business information.

Researchers also spotted a new variant of the PlugX RAT dubbed ‘Paranoid’ that has been used by the Chinese threat group in attacks against video game companies.

ChessMaster campaign uses PlugX

Researchers noted that the ChessMaster campaign includes RATs such as ChChes, PlugX, and Redleaves. Further, it is to be noted that the ChessMaster campaign is associated with the Chinese cyber-espionage group, APT10.

Government entities targeted in Southeast Asia

In April 2019, China-linked cyber-espionage group APT10 launched a malware attack against government and private organizations in Southeast Asia with two new loaders. Additionally, new variants of PlugX and Quasar RAT were dropped as final payloads in this attack campaign.

loader gif