Attacks/Breaches
11/27/2012
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Cyberespionage Tool Updated For Traditional Cybercrime

PlugX remote access Trojan (RAT) spotted being used to pilfer money out of enterprises

In yet another example of the inevitable intersection between cyberespionage and cybercrime, an infamous cyberspying tool out of China has been upgraded and used in targeted attacks for financial gain, not pure cyberespionage.

Kaspersky Lab discovered the PlugX cyberespionage tool authors using a new and more refined version of the tool against an ordinary company -- not the typical military, government, or corporate target favored by Chinese cyberespionage actors.

"Attacks against the company with use of a new version of PlugX that have been detected by us are traditional cybercrime acts aimed at gaining financial benefit," says Dmitry Tarakanov, a Kaspersky Lab expert. Attacks against the unnamed targeted company have been ongoing for about a month now.

Cybercriminals for some time have been aiming for more persistence and thus employing spying tools. Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

Temote access Trojans (RATs) like Poison Ivy and Gh0st also have been used for both cyberespionage and cybercrime, security experts say, so it's no surprise that PlugX would be converted for dual use as well. In this case, it appears the attackers behind the financial-stealing attacks with PlugX may be the same ones who authored the traditional spy RAT.

[Recent Internet Explorer attacks used PlugX and PoisonIvy payloads. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.

Tarakanov says Kaspersky Lab has found no evidence to suggest that the tool has gotten into the hands of anyone outside of its original authors, who have been traced to China by other researchers. "So far, the only tips we have seen indicate that the very developer -- or a group to which he belongs -- could use PlugX. No other parties related to this tool have been discovered. Also, no site has been found where this tool would have been proposed," he says. "If we managed to find any evidence suggesting that the PlugX RAT can be obtained by different groups of attackers, then it would explain why different types of targets are under attack. But no evidence has been found; this is why the situation is kind of unusual."

It's possible that either one person or group is behind all PlugX attacks, he says.

There also are cases where cyberespionage hackers moonlight in cybercrime. Jeremy Flessing, threat analyst with HBGary, says that's one possible scenario with the expanded PlugX activity. "Imagine, if you will, a state-sponsored threat actor realizes how easy it is to breach high-value machines on some of the most theoretically secure networks in the world. If this threat actor were to take the malware home with him and deploy it at will on his own less-secure targets, who's to stop them?" Flessing says. "They’ve been trained and provided the tools to accomplish these tasks daily."

That type of scenario occurs in attacks against online gaming companies, for instance. "We also see this type of activity targeting online game companies where their in-game currency can be sold off for real-world money. Hackers would then gain access to the network using APT-style malware, find the central database, and, using SQL injections, literally fill their inventory with virtual gold," he says.

Kaspersky's Tarakanov, meanwhile, says that a few days ago, the PlugX attacker or attackers sent multiple emails rigged with a new version of PlugX. In a blog post today, Tarakanov explained that the new version has a new logging function. "The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version," he wrote in the post. "We conclude that the PlugX project is a work in progress. And, this progress has just reached a milestone. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated."

Jaime Blasco, manager of AlienVault Labs, says he has seen the author or authors of PlugX working on improvements to the tool over the past few months. Blasco in September traced the malware to a "virus expert" in China who appears to be the creator of PlugX.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio