live casino online

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

PlugX allows remote users to perform malicious and data theft routines on a system without the user¡¯s permission or authorization. These malicious routines include:

• Copying, creating, modifying, and opening files
• Logging keystrokes and active windows
• Logging off the current user, restarting/rebooting the affected system
• Creating, modifying and/or deleting registry values
• Capturing video or screenshots of user activity
• Setting connections
• Terminating processes

Apart from compromising system security, PlugX¡¯s routines could lead to further information theft if systems are left unchecked. PlugX also gives attackers complete control over the system.

Installation

This backdoor drops the following non-malicious files:

• %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmart.exe
• %AppDataLocal%\VirtualStore\Windows\system32\NvSmart.exe
• %ProgramData%\Gf\NvSmart.exe
• %ProgramData%\SxS\NvSmart.exe
• %ProgramData%\SxS\rc.exe
• %ProgramData%\SxSi\rc.exe
• %System Root%\Users\All Users\Gf\NvSmart.exe
• %System Root%\Users\All Users\SxS\NvSmart.exe
• %System Root%\Users\All Users\SxS\rc.exe
• %System Root%\Users\All Users\SxSi\rc.exe
• %System Root%\Users\All Users\UdpGf\NvSmart.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

• %ProgramData%\Gf
• %ProgramData%\SxS
• %ProgramData%\SxSi
• %System Root%\Users\All Users\Gf
• %System Root%\Users\All Users\SxS
• %System Root%\Users\All Users\SxSi
• %System Root%\Users\All Users\UdpGf

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Description = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
DisplayName = "Gf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ImagePath = ""%ProgramData%\Gf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Description = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
DisplayName = "SxS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ImagePath = ""%ProgramData%\SxS\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Description = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
DisplayName = "UdpGf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ImagePath = ""%ProgramData%\UdpGf\NvSmart.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Description = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
DisplayName = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ImagePath = "%ProgramData%\SxSi\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Type = "110"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Gf

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SxS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UdpGf

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\FAST
CLSID = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
CLSID = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\FAST

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST

Dropping Routine

This backdoor drops the following files:

• %AppDataLocal%\VirtualStore\Program Files\Common Files\NvSmartMax.dll
• %AppDataLocal%\VirtualStore\Program Files\Common Files\boot.ldr
• %AppDataLocal%\VirtualStore\Windows\system32\NvSmartMax.dll
• %AppDataLocal%\VirtualStore\Windows\system32\boot.ldr
• %ProgramData%\Gf\NvSmartMax.dll
• %ProgramData%\Gf\boot.ldr
• %ProgramData%\SxS\NvSmartMax.dll
• %ProgramData%\SxS\rc.hlp
• %ProgramData%\SxS\rcdll.dll
• %ProgramData%\SxSi\rc.hlp
• %ProgramData%\SxSi\rcdll.dll
• %System Root%\Users\All Users\Gf\NvSmartMax.dll
• %System Root%\Users\All Users\Gf\boot.ldr
• %System Root%\Users\All Users\SxS\NvSmartMax.dll
• %System Root%\Users\All Users\SxS\rc.hlp
• %System Root%\Users\All Users\SxS\rcdll.dll
• %System Root%\Users\All Users\SxSi\rc.hlp
• %System Root%\Users\All Users\SxSi\rcdll.dll
• %System Root%\Users\All Users\UdpGf\NvSmart.usr
• %System Root%\Users\All Users\UdpGf\NvSmartMax.dll

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This backdoor connects to the following possibly malicious URL:

• http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
• {BLOCKED}y.{BLOCKED}-show.org
• {BLOCKED}bb.{BLOCKED}s.in
• {BLOCKED}l.{BLOCKED}2.us:80
• {BLOCKED}sUpdated.{BLOCKED}n.com
• http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00108490
• http://{BLOCKED}.{BLOCKED}.0.1:12345/update?id=00133f60
• http://{BLOCKED}ntral.{BLOCKED}ind.net/update?id=00133f60
• http://{BLOCKED}lasia.{BLOCKED}focus.com:53/update?id=00108150
• http://{BLOCKED}l.{BLOCKED}huu.com/update?id=00133fa0
• http://{BLOCKED}r.{BLOCKED}ctme.net/update?id=00107f08
• http://{BLOCKED}ia.{BLOCKED}focus.com:8080/update?id=00108150
• http://{BLOCKED}ia.{BLOCKED}ind.net:8080/update?id=00133f60
• http://{BLOCKED}n.{BLOCKED}huu.com:53/update?id=00133fa0
• http://{BLOCKED}r.{BLOCKED}5.com:8080/update?id=00108108
• http://{BLOCKED}ul.{BLOCKED}c.net/update?id=00108150
• http://{BLOCKED}k.{BLOCKED}3.com:53/update?id=00108cf0
• http://{BLOCKED}a.{BLOCKED}focus.com:53/update?id=00133f60

NOTES:

It saves the gathered information as the following:

• %ProgramData%\Gf\kl.log
• %ProgramData%\SxS\bug.log
• %ProgramData%\SxS\kl.log
• %ProgramData%\SxS\xxx.xxx
• %ProgramData%\SxSi\kl.log
• %System Root%\Users\All Users\Gf\kl.log
• %System Root%\Users\All Users\SxS\bug.log
• %System Root%\Users\All Users\SxS\kl.log
• %System Root%\Users\All Users\SxS\xxx.xxx
• %System Root%\Users\All Users\SxSi\kl.log