Plugx RAT targeting government organizations in Japan using spear phishing
Roland Dela Paz (Threat Researcher) at TrendMirco reported that last year a Malware Campaign to target specific users in Japan, China, and Taiwan once again on rise using new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug). This new custom made version comes for less recognition and more elusiveness from security researchers.
He also mention that last year campaign used the Poison Ivy RAT, but now its Plugx take its place. "Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm." Roland mentioned.
The attached pdf exploits CVE-2010-2883 (with Plugx (RAT) payload connects to a command and control (C&C) server named {BLOCKED}eo.flower-show.org.
CVE-2010-2883: Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010)
This C&C server appeared to be have been used by Poison Ivy and PlugX variants. According to Roland this rat drop a file at %System Root%\Documents and Settings\All Users\SxS\bug.log which contain it own errors and then possibly it uploads back to attacker server for Auditing. This shows that , this variant is still in beta stage. Trend Micro monitoring PlugX’s development and We at THE HACKER NEWS, will update you with new info when published.
Roland Dela Paz (Threat Researcher) at TrendMirco reported that last year a Malware Campaign to target specific users in Japan, China, and Taiwan once again on rise using new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug). This new custom made version comes for less recognition and more elusiveness from security researchers.
He also mention that last year campaign used the Poison Ivy RAT, but now its Plugx take its place. "Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We’ve also encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm." Roland mentioned.
The attached pdf exploits CVE-2010-2883 (with Plugx (RAT) payload connects to a command and control (C&C) server named {BLOCKED}eo.flower-show.org.
CVE-2010-2883: Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010)
This C&C server appeared to be have been used by Poison Ivy and PlugX variants. According to Roland this rat drop a file at %System Root%\Documents and Settings\All Users\SxS\bug.log which contain it own errors and then possibly it uploads back to attacker server for Auditing. This shows that , this variant is still in beta stage. Trend Micro monitoring PlugX’s development and We at THE HACKER NEWS, will update you with new info when published.
0 comments:
Post a Comment