Attacks/Breaches
11/27/2012
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Chinese Cyberespionage Tool Updated For Traditional Cybercrime

PlugX remote access Trojan (RAT) spotted being used to pilfer money out of enterprises

In yet another example of the inevitable intersection between cyberespionage and cybercrime, an infamous cyberspying tool out of China has been upgraded and used in targeted attacks for financial gain, not pure cyberespionage.

Kaspersky Lab discovered the PlugX cyberespionage tool authors using a new and more refined version of the tool against an ordinary company -- not the typical military, government, or corporate target favored by Chinese cyberespionage actors.

"Attacks against the company with use of a new version of PlugX that have been detected by us are traditional cybercrime acts aimed at gaining financial benefit," says Dmitry Tarakanov, a Kaspersky Lab expert. Attacks against the unnamed targeted company have been ongoing for about a month now.

Cybercriminals for some time have been aiming for more persistence and thus employing spying tools. Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

Temote access Trojans (RATs) like Poison Ivy and Gh0st also have been used for both cyberespionage and cybercrime, security experts say, so it's no surprise that PlugX would be converted for dual use as well. In this case, it appears the attackers behind the financial-stealing attacks with PlugX may be the same ones who authored the traditional spy RAT.

[Recent Internet Explorer attacks used PlugX and PoisonIvy payloads. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.

Tarakanov says Kaspersky Lab has found no evidence to suggest that the tool has gotten into the hands of anyone outside of its original authors, who have been traced to China by other researchers. "So far, the only tips we have seen indicate that the very developer -- or a group to which he belongs -- could use PlugX. No other parties related to this tool have been discovered. Also, no site has been found where this tool would have been proposed," he says. "If we managed to find any evidence suggesting that the PlugX RAT can be obtained by different groups of attackers, then it would explain why different types of targets are under attack. But no evidence has been found; this is why the situation is kind of unusual."

It's possible that either one person or group is behind all PlugX attacks, he says.

There also are cases where cyberespionage hackers moonlight in cybercrime. Jeremy Flessing, threat analyst with HBGary, says that's one possible scenario with the expanded PlugX activity. "Imagine, if you will, a state-sponsored threat actor realizes how easy it is to breach high-value machines on some of the most theoretically secure networks in the world. If this threat actor were to take the malware home with him and deploy it at will on his own less-secure targets, who's to stop them?" Flessing says. "They’ve been trained and provided the tools to accomplish these tasks daily."

That type of scenario occurs in attacks against online gaming companies, for instance. "We also see this type of activity targeting online game companies where their in-game currency can be sold off for real-world money. Hackers would then gain access to the network using APT-style malware, find the central database, and, using SQL injections, literally fill their inventory with virtual gold," he says.

Kaspersky's Tarakanov, meanwhile, says that a few days ago, the PlugX attacker or attackers sent multiple emails rigged with a new version of PlugX. In a blog post today, Tarakanov explained that the new version has a new logging function. "The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version," he wrote in the post. "We conclude that the PlugX project is a work in progress. And, this progress has just reached a milestone. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated."

Jaime Blasco, manager of AlienVault Labs, says he has seen the author or authors of PlugX working on improvements to the tool over the past few months. Blasco in September traced the malware to a "virus expert" in China who appears to be the creator of PlugX.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

CVE-2014-4197
Published: 2014-08-22
Multiple SQL injection vulnerabilities in Bank Soft Systems (BSS) RBS BS-Client 3.17.9 allow remote attackers to execute arbitrary SQL commands via the (1) CARDS or (2) XACTION parameter.

CVE-2014-5097
Published: 2014-08-22
Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) get or (2) set action to rate.php.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.