Skip to content

S0013 PlugX

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.6532

Item Value
ID S0013
Associated Names Thoper, TVT, DestroyRAT, Sogu, Kaba, Korplug
Type MALWARE
Version 3.1
Created 31 May 2017
Last Modified 10 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Thoper 4
TVT 4
DestroyRAT 1
Sogu 651
Kaba 5
Korplug 61

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols PlugX can be configured to use HTTP for command and control.214
enterprise T1071.004 DNS PlugX can be configured to use DNS for command and control.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PlugX adds Run key entries in the Registry to establish persistence.6111
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell PlugX allows actors to spawn a reverse shell on a victim.21
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.16111315
enterprise T1140 Deobfuscate/Decode Files or Information PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.11014
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography PlugX can use RC4 encryption in C2 communications.14
enterprise T1083 File and Directory Discovery PlugX has a module to enumerate drives and find files recursively.114
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories PlugX can modify the characteristics of folders to hide them from the compromised user.14
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking PlugX has the ability to use DLL search order hijacking for installation on targeted systems.14
enterprise T1574.002 DLL Side-Loading PlugX has used DLL side-loading to evade anti-virus.5212119108
enterprise T1105 Ingress Tool Transfer PlugX has a module to download and execute files on the compromised machine.114
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PlugX has a module for capturing keystrokes per process including window titles.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service In one instance, menuPass added PlugX as a service with a display name of “Corel Writing Tools Utility.”13
enterprise T1036.005 Match Legitimate Name or Location PlugX has been disguised as legitimate Adobe and PotPlayer files.14
enterprise T1112 Modify Registry PlugX has a module to create, delete, or modify Registry keys.1
enterprise T1106 Native API PlugX can use the Windows API functions GetProcAddress, LoadLibrary, and CreateProcess to execute another process.614
enterprise T1135 Network Share Discovery PlugX has a module to enumerate network shares.1
enterprise T1095 Non-Application Layer Protocol PlugX can be configured to use raw TCP or UDP for command and control.2
enterprise T1027 Obfuscated Files or Information PlugX can use API hashing and modify the names of strings to evade detection.1014
enterprise T1057 Process Discovery PlugX has a module to list the processes running on a machine.1
enterprise T1012 Query Registry PlugX can enumerate and query for information contained within the Windows Registry.61
enterprise T1113 Screen Capture PlugX allows the operator to capture screenshots.1
enterprise T1049 System Network Connections Discovery PlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.1
enterprise T1127 Trusted Developer Utilities Proxy Execution -
enterprise T1127.001 MSBuild A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.9
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks PlugX checks if VMware tools is running in the background by searching for any process named “vmtoolsd”.7
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver PlugX uses Pastebin to store C2 addresses.9

Groups That Use This Software

ID Name References
G0062 TA459 16
G0129 Mustang Panda 171819202114
G0017 DragonOK 3
G0044 Winnti Group 22
G0001 Axiom 234
G0045 menuPass 111324
G0093 GALLIUM 25
G0096 APT41 26
G1014 LuminousMoth 2827
G0126 Higaisa 29
G0027 Threat Group-3390 23031108
G0022 APT3 5

References

  1. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  3. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015. 

  4. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  5. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. 

  6. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. 

  7. Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019. 

  8. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  9. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017. 

  10. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  12. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014. 

  13. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  14. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  15. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  16. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  17. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  18. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  19. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  20. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  21. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  22. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  23. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. 

  24. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. 

  25. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  26. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  27. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  28. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  29. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  30. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  31. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.