Luckily, it was quite easy to find the initial builder that generates such samples.īasically, the builder compiles a handful of different PlugX droppers, including the notorious SFX RAR archives containing the PlugX trinity – a legitimate signed executable susceptible to a DLL side-loading attack, a DLL that is picked up by an executable and the payload file that maintains all the juicy stuff – the PlugX functional library, C2s and other settings. Actually, it turned out to be a test sample with stub settings. This time, looking through some anomalous PlugX samples, we stumbled upon one specimen that had an RC4 encoded resource inside. In 2013, we discovered that the Winnti group responsible for attacking companies in the online gaming industry has been using the PlugX remote administration tool since at least May 2012. PlugX has been detected in targeted attacks not only against military, government or political organizations but also against more or less ordinary companies. Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals. We hope the case described in this blogpost falls into the first category, i.e. Sometimes they do it just for the “lulz”, sometimes to insult a person who hampers their criminal business, sometimes to deliver information to the guys on the other side who oppose them. It happens that malware writers and other miscreants in the digital world put messages in their malware. Kaspersky Advanced Cyber Incident Communications.KasperskyEndpoint Detection and Response.KasperskyPhysical, Virtual & Cloud Workloads Security.KasperskyEndpoint Security for Business Advanced.KasperskyEndpoint Security for Business Select.
Kaspersky Internet Security for Android.
0 kommentar(er)
