Using Yara rules based on the old released builder it is possible to search Virus Total for similar samples. This allows various PlugX controllers to be found that are associated with newer versions of the RAT.


Two of the controllers identified are for version 2 of the RAT. This is really interesting, as it would allow us to build tools to detect and analyse traffic between the RAT and its controller.

However, none of the aforementioned controllers have a "Make" tab to build custom samples. This means that if we want to make the RAT communicate with a controller in a virtual and controlled environment, it would be necessary to build a fake DNS infrastructure and some redirection rules to fake the original C2 server from the RAT point of view.

It would really be easier to build our own samples rather than take this approach!

When looking at the V2 controllers through IDA Pro, we notice some strange strings for an executable missing the builder feature!

plugx_cc_str1.png plugx_cc_str2.png

It seems that the builder part of the controller might still be present in the binary, but not directly accessible through the user interface!

As this binary has been developed using Delphi, a tool such as "Dede" provides a view of the user interface together with all windows, buttons, lists, etc.

Looking at the "Settings" tab window, one can notice a strange, hidden set of radio buttons!


Viewing the properties of the radio buttons indicates that the "OnlyController" one is checked!

As the tool didn't allow direct modification of the buttons properties (and because assembly is considerably more interesting than Delphi UI!), let's see how the check is performed when the FormShow() method of the TfrmMain window is called:


We can clearly see the check of the 3 radio buttons. A simple way to enable the "Make" tab would be to "nop" the first "jz" instruction.

If the is run binary again after this modification, a wild "Builder" tab appears!


This patched version now allows us to build our own sample, and run a full PlugX architecture in our lab!