The next generation of the PlugX APT – new SophosLabs research

plug-xSophosLabs Threat Researcher Gabor Szappanos has been following the development of PlugX – a strain of advanced persistent threat (APT) that has been used in targeted attacks – over the past year.

“Szappi,” as he’s known around the labs, has dissected variants of PlugX in a series of technical papers explaining his research – and the new ways the cybercriminals have devised to conceal their malware.

In his latest paper, Szappi shows us how one variant of PlugX doesn’t do what the other versions do – dropping a separate file on the infected system – but rather stores itself in memory without using the disk.

More about PlugX

PlugX began showing up in targeted attacks using infected Rich Text Format, Word, and Ichitaro (a word processor used in Japan) files.

Because of the sneaky way PlugX infects users through RTF attachments, and the way it hides itself to do the damage of stealing private data, it seems like this threat could be used for state-sponsored espionage.

APTs, however, can be used by anyone with the motivation to compromise you.

As we’ve written about before, financially-motivated cybercriminals are watching the development of APTs too – for example, the bad guys behind the Zeus malware.

SophosLabs research shows that about one-third of the attacks using infected Microsoft Office documents in recent months have contained Zeus/Zbot.

For further reading

Advanced Threat Protection in Sophos UTM

Advanced Threat Protection in Sophos UTM is not just a single technology. Rather, it’s a set of diverse traffic analysis mechanisms fed with data from our global network of labs. That means our SophosLabs threat intelligence can be used to prevent devices from connecting with command-and-control/botnet host servers outside your network.

Try Sophos UTM for free.

Keep up with SophosLabs

At SophosLabs we’re dedicated to sharing our research with the security community. From time to time we present our technical papers at industry conferences, such as the upcoming Virus Bulletin 2014 conference, 24 – 26 September 2014.

Keep up to date with our latest industry-leading research and technical papers, expert opinion, and security advice at Naked Security, and right here on the Sophos Blog.

Sign up for Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.


Leave a Reply

Your email address will not be published. Required fields are marked *