04:25 PM
Connect Directly

Chinese Cyberespionage Tool Updated For Traditional Cybercrime

PlugX remote access Trojan (RAT) spotted being used to pilfer money out of enterprises

In yet another example of the inevitable intersection between cyberespionage and cybercrime, an infamous cyberspying tool out of China has been upgraded and used in targeted attacks for financial gain, not pure cyberespionage.

Kaspersky Lab discovered the PlugX cyberespionage tool authors using a new and more refined version of the tool against an ordinary company -- not the typical military, government, or corporate target favored by Chinese cyberespionage actors.

"Attacks against the company with use of a new version of PlugX that have been detected by us are traditional cybercrime acts aimed at gaining financial benefit," says Dmitry Tarakanov, a Kaspersky Lab expert. Attacks against the unnamed targeted company have been ongoing for about a month now.

Cybercriminals for some time have been aiming for more persistence and thus employing spying tools. Traditional cybercriminals increasingly are using the same hacking tools that cyberespionage attackers employ in order to maintain a stealthy foothold inside a victim organization so they can maximize their spoils and profits.

Temote access Trojans (RATs) like Poison Ivy and Gh0st also have been used for both cyberespionage and cybercrime, security experts say, so it's no surprise that PlugX would be converted for dual use as well. In this case, it appears the attackers behind the financial-stealing attacks with PlugX may be the same ones who authored the traditional spy RAT.

[Recent Internet Explorer attacks used PlugX and PoisonIvy payloads. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.

Tarakanov says Kaspersky Lab has found no evidence to suggest that the tool has gotten into the hands of anyone outside of its original authors, who have been traced to China by other researchers. "So far, the only tips we have seen indicate that the very developer -- or a group to which he belongs -- could use PlugX. No other parties related to this tool have been discovered. Also, no site has been found where this tool would have been proposed," he says. "If we managed to find any evidence suggesting that the PlugX RAT can be obtained by different groups of attackers, then it would explain why different types of targets are under attack. But no evidence has been found; this is why the situation is kind of unusual."

It's possible that either one person or group is behind all PlugX attacks, he says.

There also are cases where cyberespionage hackers moonlight in cybercrime. Jeremy Flessing, threat analyst with HBGary, says that's one possible scenario with the expanded PlugX activity. "Imagine, if you will, a state-sponsored threat actor realizes how easy it is to breach high-value machines on some of the most theoretically secure networks in the world. If this threat actor were to take the malware home with him and deploy it at will on his own less-secure targets, who's to stop them?" Flessing says. "They’ve been trained and provided the tools to accomplish these tasks daily."

That type of scenario occurs in attacks against online gaming companies, for instance. "We also see this type of activity targeting online game companies where their in-game currency can be sold off for real-world money. Hackers would then gain access to the network using APT-style malware, find the central database, and, using SQL injections, literally fill their inventory with virtual gold," he says.

Kaspersky's Tarakanov, meanwhile, says that a few days ago, the PlugX attacker or attackers sent multiple emails rigged with a new version of PlugX. In a blog post today, Tarakanov explained that the new version has a new logging function. "The virus writer has removed almost all the lines of code for processing potential errors that were present in the old version," he wrote in the post. "We conclude that the PlugX project is a work in progress. And, this progress has just reached a milestone. Although the attackers did not hesitate to use the debug version in previous targeted campaigns, the debug version is now complete and a major version production release is being circulated."

Jaime Blasco, manager of AlienVault Labs, says he has seen the author or authors of PlugX working on improvements to the tool over the past few months. Blasco in September traced the malware to a "virus expert" in China who appears to be the creator of PlugX.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice post
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report