CASSIDIAN CyberSecurity Blog

Tag - PlugX

Entries feed


Getting a PlugX builder

PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it.

However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post.

Continue reading...


Malware Sakula - Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x.

Continue reading...


Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions.

Continue reading...


Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT.
JPCERT made a great blog post covering the latest features added to the RAT, such as:

  • New protocol (raw IP protocol 0xff)
  • P2P communications
  • MAC address binding
  • Process injection for UAC bypass
  • New encoding algorithm

This post aims at giving new elements we discovered during our investigations on this infamous malware.

Continue reading...


PlugX "v2": meet "SController"

In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called it internally "PlugX v2". Some posts from SecureList and FireEye were dealing with this new version, but none of them gave a full analysis.

In this post, we will detail the main differences and new features introduced by this version.

Continue reading...


PlugX: some uncovered points

PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We're planning to release details about this malware in a small serie of blog posts, to cover some points which have not been published yet.

This first post will cover some internals of the original PlugX malware and we'll deal with its evolution in the next one.

Continue reading...