Attacks/Breaches
11/27/2012
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Cyberespionage Tool Updated For Traditional Cybercrime

PlugX remote access Trojan (RAT) spotted being used to pilfer money out of enterprises

In yet another example of the inevitable intersection between cyberespionage and cybercrime, an infamous cyberspying tool out of China has been upgraded and used in targeted attacks for financial gain, not pure cyberespionage.

Kaspersky Lab discovered the PlugX cyberespionage tool authors using a new and more refined version of the tool against an ordinary company -- not the typical military, government, or corporate target favored by Chinese cyberespionage actors.

"Attacks against the company with use of a new version of PlugX that have been detected by us are traditional cybercrime acts aimed at gaining financial benefit," says Dmitry Tarakanov, a Kaspersky Lab expert. Attacks against the unnamed targeted company have been ongoing for about a month now.

Cybercriminals for some time have been aiming for more persistence and thus employing spying tools. Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

Temote access Trojans (RATs) like Poison Ivy and Gh0st also have been used for both cyberespionage and cybercrime, security experts say, so it's no surprise that PlugX would be converted for dual use as well. In this case, it appears the attackers behind the financial-stealing attacks with PlugX may be the same ones who authored the traditional spy RAT.

[Recent Internet Explorer attacks used PlugX and PoisonIvy payloads. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.

Tarakanov says Kaspersky Lab has found no evidence to suggest that the tool has gotten into the hands of anyone outside of its original authors, who have been traced to China by other researchers. "So far, the only tips we have seen indicate that the very developer -- or a group to which he belongs -- could use PlugX. No other parties related to this tool have been discovered. Also, no site has been found where this tool would have been proposed," he says. "If we managed to find any evidence suggesting that the PlugX RAT can be obtained by different groups of attackers, then it would explain why different types of targets are under attack. But no evidence has been found; this is why the situation is kind of unusual."

It's possible that either one person or group is behind all PlugX attacks, he says.

There also are cases where cyberespionage hackers moonlight in cybercrime. Jeremy Flessing, threat analyst with HBGary, says that's one possible scenario with the expanded PlugX activity. "Imagine, if you will, a state-sponsored threat actor realizes how easy it is to breach high-value machines on some of the most theoretically secure networks in the world. If this threat actor were to take the malware home with him and deploy it at will on his own less-secure targets, who's to stop them?" Flessing says. "They’ve been trained and provided the tools to accomplish these tasks daily."

That type of scenario occurs in attacks against online gaming companies, for instance. "We also see this type of activity targeting online game companies where their in-game currency can be sold off for real-world money. Hackers would then gain access to the network using APT-style malware, find the central database, and, using SQL injections, literally fill their inventory with virtual gold," he says.

Kaspersky's Tarakanov, meanwhile, says that a few days ago, the PlugX attacker or attackers sent multiple emails rigged with a new version of PlugX. In a blog post today, Tarakanov explained that the new version has a new logging function. "The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version," he wrote in the post. "We conclude that the PlugX project is a work in progress. And, this progress has just reached a milestone. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated."

Jaime Blasco, manager of AlienVault Labs, says he has seen the author or authors of PlugX working on improvements to the tool over the past few months. Blasco in September traced the malware to a "virus expert" in China who appears to be the creator of PlugX.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.