However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post.
Tag - PlugX
By Fabien Perigaud on 2016/06/22, 10:27 - Reverse engineering
By Yoann Francou on 2015/12/07, 10:52 - Reverse engineering
This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x.
By Fabien Perigaud on 2015/09/08, 17:02 - Reverse engineering
Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions.
By Fabien Perigaud on 2015/08/06, 09:54 - Reverse engineering
It has been a while since we last wrote about PlugX RAT.
JPCERT made a great blog post covering the latest features added to the RAT, such as:
- New protocol (raw IP protocol 0xff)
- P2P communications
- MAC address binding
- Process injection for UAC bypass
- New encoding algorithm
This post aims at giving new elements we discovered during our investigations on this infamous malware.
By Fabien Perigaud on 2014/01/29, 15:33 - Reverse engineering
In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called it internally "PlugX v2". Some posts from SecureList and FireEye were dealing with this new version, but none of them gave a full analysis.
In this post, we will detail the main differences and new features introduced by this version.
By Fabien Perigaud on 2014/01/06, 10:21 - Reverse engineering
PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We're planning to release details about this malware in a small serie of blog posts, to cover some points which have not been published yet.
This first post will cover some internals of the original PlugX malware and we'll deal with its evolution in the next one.