Fresh PlugX October 2019


On 15 November 2019, I received a VirusTotal notification for a copy of PlugX that had been uploaded ( Yara - PlugXBootLDRCode from https://github.com/citizenlab/malware-signatures/blob/master/malware-families/plugx.yara ).


MD5          : ce67994a4ee7cf90645e93aec084230d
SHA1         : b42c84f851b8b7d2d2ddfbc9ac94e001204faf45
SHA256       : 6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1
Type         : Win32 DLL

First seen   : 2019-11-15 08:04:32 UTC
Last seen    : 2019-11-15 08:04:32 UTC&nbsp

First name   : plugx.dll 

 What stood out from the notification (outside of the file being named plugx.dll) was a compilation time of Fri Oct 4 08:34:45 2019 UTC (a little more then a month before the writing of this post).

Initial Validation

This specific rule matches on operations for assembling a set of API calls - shown below

$ yara -s All.yara sample
PlugXBootLDRCode [PlugX,Family] 6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1
0x7708:$GetProcAdd: 80 38 47 75 36 80 78 01 65 75 30 80 78 02 74 75 2A 80 78 03 50
0x7786:$L4_LoadLibraryA: C7 85 5C FF FF FF 4C 6F 61 64 C7 85 60 FF FF FF 4C 69 62
0x7859:$L4_ExitThread: C7 85 FC FE FF FF 45 78 69 74 C7 85 00 FF FF FF 54 68 72 65


Screenshot of match condition in IDA
As a general note, the -s flag in Yara is used for outputting the matched strings and is extremely useful for debugging rules and evaluating why a file matched.

From a quick comparison of the strings, a quick Google search found previous reporting confirming this file was PlugX (ref: http://takahiroharuyama.github.io/blog/2014/03/27/id-slash-idapython-scripts-extracting-plugx-configs/)

DEMO...
THIS IS A DEMO VERSION!!!
\\.\PIPE\RUN_AS_USER(%d)
%WINDIR%\SYSTEM32\SERVICES.EXE
Software\Microsoft\Windows\CurrentVersion\Run
System\CurrentControlSet\Services
debug.hlp
C:\Windows\System32\rundll32.exe "%s" BypassUAC %s
PI[%8.8X]
%s\%d.plg
mytilus3.hlp

%04d-%02d-%02d %02d:%02d:%02d

Overlaps with versions

A outstanding point of reference evaluating PlugX is the Sophos report (https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf).  On Page 7, Gabor Szappanos has a table covering the supported commands.  In this copy, sub_10008DE acts as a command handler for evaluating operator commands and can be used to evaluate this copy against that from 2014:



In the above screenshot, many of the commands from the 2014 version are present; some additional commands are present, however, handled withing sub-functions of sub_10008DE.

What did appear unique was a set of commands for monitor clipboard activity:


An initial Google search did not show any hits for these being previously documented commands in PlugX - suggesting it may be a new feature - however, further analysis is needed to validate this.






Comments

Post a Comment

Popular posts from this blog

Lazarus obfuscation in Feb 2019

Image
Lazarus obfuscation in Feb 2019 Starting off, I’d like to give a shot-out to Brian Bartholomew (Twitter: @Mao_Ware) for his general awesomeness and for his post on 30 January from which this research starts. Using this as a base for the following Yara rule, I found a similar sample (SHA256: 625f63364312cec78a4c91abedba868d551d79185ff73e388f561017b13347f0 ) also packed with UPX. rule LazarusDocJan2019_01 { meta: author = “Silas Cutler” description = “Detection for Lazarus Payload from Jan 2019” ref = “ https://twitter.com/DrunkBinary/status/1090625122883510274 " version = “0.1” strings: $ = “\”Main Invoked.\”” $ = “\”Main Returned.\”” $ = “%sd.%se%sc %s > %s 2>&1” condition: all of them } As with the sample Bart identified, the control server is not obfuscated in the binary: Control server in WinM ain function Sandboxing of the sample, confirms the malware beacons to this URL: GET /intro/info/info.
Read more

Finding the same bugs in all the familiar places

Image
A while back, I had a patch of cases where I was regularly looking at samples leveraging DLL Side loading (also called “Search Order Hijacking”) as part of their setup phase.  This vulnerability exists because of how Windows handles resolving libraries for applications and can be exploited to cause an application to inadvertently load (at the same privilege level) a malicious library.  When a library is loaded by an application (either delayed or at execution), Windows will check the following locations  in order for a copy of the library: (https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) The above shows the locations checked when SafeDllSearchMode is disabled.  When enabled, the current directory is checked fifth, instead of second.   This process can be exploited when a malicious library is added to one of these locations - before the actual library natively resides.  For example, if MyApp.exe is attempting to load TestLib.dll
Read more