Attacks/Breaches
11/27/2012
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Cyberespionage Tool Updated For Traditional Cybercrime

PlugX remote access Trojan (RAT) spotted being used to pilfer money out of enterprises

In yet another example of the inevitable intersection between cyberespionage and cybercrime, an infamous cyberspying tool out of China has been upgraded and used in targeted attacks for financial gain, not pure cyberespionage.

Kaspersky Lab discovered the PlugX cyberespionage tool authors using a new and more refined version of the tool against an ordinary company -- not the typical military, government, or corporate target favored by Chinese cyberespionage actors.

"Attacks against the company with use of a new version of PlugX that have been detected by us are traditional cybercrime acts aimed at gaining financial benefit," says Dmitry Tarakanov, a Kaspersky Lab expert. Attacks against the unnamed targeted company have been ongoing for about a month now.

Cybercriminals for some time have been aiming for more persistence and thus employing spying tools. Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

Temote access Trojans (RATs) like Poison Ivy and Gh0st also have been used for both cyberespionage and cybercrime, security experts say, so it's no surprise that PlugX would be converted for dual use as well. In this case, it appears the attackers behind the financial-stealing attacks with PlugX may be the same ones who authored the traditional spy RAT.

[Recent Internet Explorer attacks used PlugX and PoisonIvy payloads. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.

Tarakanov says Kaspersky Lab has found no evidence to suggest that the tool has gotten into the hands of anyone outside of its original authors, who have been traced to China by other researchers. "So far, the only tips we have seen indicate that the very developer -- or a group to which he belongs -- could use PlugX. No other parties related to this tool have been discovered. Also, no site has been found where this tool would have been proposed," he says. "If we managed to find any evidence suggesting that the PlugX RAT can be obtained by different groups of attackers, then it would explain why different types of targets are under attack. But no evidence has been found; this is why the situation is kind of unusual."

It's possible that either one person or group is behind all PlugX attacks, he says.

There also are cases where cyberespionage hackers moonlight in cybercrime. Jeremy Flessing, threat analyst with HBGary, says that's one possible scenario with the expanded PlugX activity. "Imagine, if you will, a state-sponsored threat actor realizes how easy it is to breach high-value machines on some of the most theoretically secure networks in the world. If this threat actor were to take the malware home with him and deploy it at will on his own less-secure targets, who's to stop them?" Flessing says. "They’ve been trained and provided the tools to accomplish these tasks daily."

That type of scenario occurs in attacks against online gaming companies, for instance. "We also see this type of activity targeting online game companies where their in-game currency can be sold off for real-world money. Hackers would then gain access to the network using APT-style malware, find the central database, and, using SQL injections, literally fill their inventory with virtual gold," he says.

Kaspersky's Tarakanov, meanwhile, says that a few days ago, the PlugX attacker or attackers sent multiple emails rigged with a new version of PlugX. In a blog post today, Tarakanov explained that the new version has a new logging function. "The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version," he wrote in the post. "We conclude that the PlugX project is a work in progress. And, this progress has just reached a milestone. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated."

Jaime Blasco, manager of AlienVault Labs, says he has seen the author or authors of PlugX working on improvements to the tool over the past few months. Blasco in September traced the malware to a "virus expert" in China who appears to be the creator of PlugX.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.