PlugX is a relatively new backdoor implant, implicated in security problems experienced by a number of different organisations. It provides backdoor or remote access functionality, allowing an attacker to obtain information about infected systems and to egress data from the target. This white paper outlines analysis conducted by Context of PlugX in action within a client network. Below you will find details of the intelligence gathered during this process, including a description of how PlugX hides itself on disk using custom encryption. We also release source code for the command line tool that accompanies this paper, designed to recognise if a given file is in fact a PlugX payload file, and extract the executable and data contents ready for further analysis.
As a specialist provider of incident response services and one of the companies selected by GCHQ and CPNI to be part of the Cyber Incident Response scheme, Context has excellent visibility of the malware being used on a daily basis to compromise companies and government organisations. We are particularly knowledgeable about how malware is used to faciliate targeted, state sponsored cyber attacks. Recently, a client network which we have been monitoring through our managed service for several years and which is targeted regularly by cyber criminals became infected with multiple instances of PlugX. Thanks to the client's appetite for risk and our ability to detect malware, we were able to conduct a live analysis of the attackers' activities and their use of PlugX.
The information and the accompanying source code will be useful to those of you who are dealing with a PlugX infection, or require a command line tool to decrypt and decompress payload files automatically. Please download a copy of the source code for this tool from the link below.