Vulnerabilities / Threats
9/13/2012
02:48 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Is 'Virus Expert' Tied To PlugX RAT Malware?

Security firm AlienVault believes "whg0001" helped create malware used to attack targets in Japan, South Korea, Taiwan, and Tibet.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
A virus expert who may be responsible for the development of PlugX, a Remote Access Tool, or RAT, used for several years to attack computers and steal data from targets in Asia, did not adequately clean and anonymize his code, one security researcher says.

Jaime Blasco, labs manager at AlienVault, has been tracking the activities of a group using PlugX and believes he has identified at least one of the people behind the malicious software.

Blasco in a phone interview said he was able to extract the debug file path from some PlugX malware binaries and then match those file paths to other PlugX samples, samples that included a username in the file path: "whg." The samples also suggested the author was using two separate systems for his work, a Windows XP system and a Vista/7 system.

Blasco scanned other binary files for similar debug file paths and identified an application called SockMon at the Chinese website cnasm.com. The website lists contact information for "whg0001," along with an email address and a QQ number, an identifier used on China's popular QQ messaging service.

[ Learn more about RATs. Read DarkComet Developer Retires Notorious Remote Access Tool. ]

InformationWeek sent an email to "whg0001" asking if he had a hand in the creation of PlugX, as Blasco alleges. We have not heard back.

As Blasco relates in a blog post about his findings, the email address associated with "whg0001" was used as an administrative contact to register a website in China in 2000. The company, Chinansl Technology Co. LTD is listed at Chengdu National Information Security Production Industrialization Base, 2nd Floor, No.8 Chuangye Road, Chengdu, China.

The company appears to have ties to the security industry in China, Blasco observes.

Blasco has found this same file path in components of Chinasl software called "Parent Carefree Filter" and that information about "whg0001" on the Internet identifies him as a "virus expert" who is "proficient in assembly."

A CSDN profile associated with the same whg0001" email address includes a picture.

Searching for more versions of the PlugX RAT reveals a connectivity test URL that points to another picture of the same individual.

Blasco concludes that based on this research, "we can say that this guy is behind the active development of the PlugX RAT."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
9/15/2012 | 10:03:55 PM
re: Is 'Virus Expert' Tied To PlugX RAT Malware?
From the sound of it, this appears to have been a spying product - possibly created for the Chinese government, especially considering the targeted countries.

Get used to it folks, cyber weapons are all around us these days.

Remember, it's only malware if it does bad things to you. It's software if it does things for you.

Andrew Hornback
InformationWeek Contributor
Secure Wifi Hijacked by KRACK Vulns in WPA2
Jai Vijayan, Freelance writer,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.