Saturday, December 14, 2024
Homecyber securityExploitation Methods Used by PlugX Malware Revealed by Splunk Research

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

Published on

SIEM as a Service

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it challenging for security measures to identify and mitigate its presence:-

  • Polymorphic coding
  • Rootkit functionalities
  • Encryption

That’s why PlugX malware stands out as a challenging and evasive malware in the ever-evolving landscape of cybersecurity threats.

With its advanced capabilities, it has a history marked by:-

- Advertisement - SIEM as a Service
  • Cyber espionage
  • Targeted attacks
  • An ongoing battle with security experts

Cybersecurity researchers at Splunk recently unmasked all the sophisticated evasion techniques used by the PlugX malware.

Technical analysis

The PlugX variant, like predecessors, sideloads ‘version.dll’ via ‘msbtc.exe’ to execute malicious code. Meanwhile, the ‘msbtc.dat’ decryption begins with ‘Version.DLL’ using the RC4 algorithm in the ‘VerQueryValueW’ function. 

After that, the successful decryption activates the critical headers for final payload decompression.

Decryption and Decompression of PlugX Payload (Source – Splunk)

Malware advances to a second decryption layer with XOR and basic math in the researchers’ extraction tool. Transformations create the compressed layer, unpacked with the ‘RtlDecompressBuffer()’ API.

The ‘msbtc.cfg’ decryption differs from ‘msbtc.dat.’ It uses the same key and RC4 algorithm as ‘Version.DLL’ for efficiency. A Python tool, plugx_extractor.py, automates extraction, simplifying analysis and empowering security professionals.

The PlugX decrypts ‘msbtc.dat,’ injects into ‘msdtc.exe,’ a Windows service managing distributed transactions, and does the following things:-

  • Communicates with C2 server.
  • Retrieves host info.
  • Queries ipinfo.io for network details.
  • Adds “Microsoft Edge” firewall rule for covert communication on a specified port like 7777.
  • Manipulates host settings for stealthy operation.
  • Installs a service on ‘msbtc.exe’ for persistence and elevated privileges.

To perform the following two essential functions, this service is configured:-

  • Automated Decryption
  • Dynamic Payload Loading
Create msbtc.exe services (Source – Splunk)

PlugX’s initial phase erases past traces for seamless reinstallation, dropping essential components in “%programdata%\MSB.” 

It gains privilege escalation by impersonating the user through “explorer.exe,” hiding activities. The malware features keylogging, discreetly storing data in “%ALLUSERPROFILE%\MSB\kl” for exfiltration to the C2 server.

IOCs

IOCs (Source – Splunk)
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...