SophosLabs research uncovers new developments in PlugX APT malware

CorporateSophosLabsAPTGabor SzappanosIndiamalwarePlugXRotten TomatoZbot

SophosLabsThe notorious PlugX APT group is continuing to evolve and launch campaigns, most recently a five-month-long campaign targeting organizations in India.

PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to a new technical paper from SophosLabs Principal Researcher Gabor Szappanos.

Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

This reinforces a point made by Szapi in a previous paper: although APT groups are often unsophisticated in terms of their exploit mastery, they have other skills that make them effective at what they do.

In Gabor’s words:

This new shellcode also indicates some heavy development in the PlugX factory. Both this kind of multi-stage shellcode and the external cryptor indicate that although the group is not top class in exploit development, in conventional malware development they show serious skills, which makes them dangerous.

To learn more technical details about this latest APT campaign, and to see malware samples and the exploit documents used in the campaign, download the paper here: PlugX Goes to the Registry (and India).

Learn more about PlugX

Gabor has been following the developments of PlugX for the past two years.

In his previous research, he’s documented how “common” malware authors, such as those behind the Zbot/Zeus financial malware, had begun borrowing techniques from APT groups.

Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like CryptoLocker and CryptoWall to make money for its masters.

Gabor later showed that the borrowing of ideas was swinging back the other way, as APT groups in the “Rotten Tomato” campaign showed signs of borrowing code from the Zbot malware authors.

The merging of APTs and common malware has led Gabor to ask – “Are APTs the new normal?”

How to defend against APTs

Gabor’s research shows us that patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.

If you want to find out more about how APTs work and what you can do to protect yourself against them, download our free whitepaper (registration required), and check out a presentation of our recent webcast on pragmatic approaches to APT protection.

For more security tips, you should also read our Naked Security blog post by Paul Ducklin, Sophos senior security analyst.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s