What is PlugX Remote Access Trojan?
Understanding remote access trojans (RATs)
As malicious actors across the threat landscape continue to pursue more efficient and effective ways of compromising target networks, all while remaining undetected by security measures, it is unsurprising to see an increase in the use of remote access trojans (RATs) in recent years. RATs typically operate stealthily, evading security tools while offering threat actors remote control over infected devices, allowing attackers to execute a wide range of malicious activities like data theft or installing additional malware.
Definition and general functionality of RATs: A Remote Access Trojan (RAT) is a type of malware that enables unauthorized remote control of an infected computer. Once installed, RATs allow attackers to monitor user activities, steal sensitive information, manipulate files, and execute commands. RATs are typically distributed via phishing emails, malicious attachments, drive-by downloads, or exploiting software vulnerabilities. Due to their ability to provide comprehensive control over a compromised system, RATs pose a significant security threat to individuals and organizations.
Historical overview of PlugX
PlugX is one such example of a RAT that has attributed to Chinese threat actors such as Mustang Panda, since it first appeared in the wild back in 2008. It is known for its use in espionage, a modular and plug-in style approach to malware development. It has the ability to evolve with the latest tactics, techniques, and procedures (TTPs) that allow it to avoid the detection of traditional security tools as it implants itself target devices.
How Does PlugX Work?
The ultimate goal of any RAT is to remotely control affected devices with a wide range of capabilities, which in PlugX’s case has typically included rebooting systems, keylogging, managing critical system processes, and file upload/downloads. One technique PlugX heavily relies on is dynamic-link library (DLL) sideloading to infiltrate devices. This technique involves executing a malicious payload that is embedded within a benign executable found in a data link library (DLL) [1]. The embedded payload within the DLL is often encrypted or obfuscated to prevent detection.
What’s more, a new variant of PlugX was observed in the wild across Papua New Guinea, Ghana, Mongolia, Zimbabwe, and Nigeria in August 2022, that added several new capabilities to its toolbox.
Key capabilities of PlugX
The new variation is reported to continuously monitor affected environments for new USB devices to infect, allowing it to spread further through compromised networks [2]. It is then able to hide malicious files within a USB device by using a novel technique that prevents them from being viewed on Windows operating systems (OS). These hidden files can only be viewed on a Unix-like (.nix) OS, or by analyzing an affected USB devices with a forensic tool [2]. The new PlugX variant also has the ability to create a hidden directory, “RECYCLER.BIN”, containing a collection of stolen documents, likely in preparation for exfiltration via its command and control (C2) channels. [3]
Since December 2022, PlugX has been observed targeting networks in Europe through malware delivery via HTML smuggling campaigns, a technique that has been dubbed SmugX [4].
This evasive tactic allows threat actors to prepare and deploy malware via phishing campaigns by exploiting legitimate HTML5 and JavaScript features [5].
Darktrace Coverage of PlugX
Between January and March 2023, Darktrace observed activity relating to the PlugX RAT on multiple customers across the fleet. While PlugX’s TTPs may have bypassed traditional security tools, the anomaly-based detection capabilities of Darktraceallowed it to identify and alert the subtle deviations in the behavior of affected devices, while Darktrace was able to take immediate mitigative action against such anomalous activity and stop attackers in their tracks.
C2 Communication
Between January and March 2023, Darktrace detected multiple suspicious connections related to the PlugX RAT within customer environments. When a device has been infected, it will typically communicate through C2 infrastructure established for the PlugX RAT. In most cases observed by Darktrace, affected devices exhibited suspicious C2 connections to rare endpoints that were assessed with moderate to high confidence to be linked to PlugX.
On the network of one Darktrace customer the observed communication was a mix of successful and unsuccessful connections at a high volume to rare endpoints on ports such as 110, 443, 5938, and 80. These ports are commonly associated with POP3, HTTPS, TeamViewer RDP / DynGate, and HTTP, respectively. Figure 1 below showcases this pattern of activity.
On another customer’s network, Darktrace observed C2 communication involving multiple failed connection attempts to another rare external endpoint associated with PlugX. The device in this case was detected attempting connections to the endpoint, 45.142.166[.]112 on ports 110, 80, and 443 which caused the DETECT model ‘Anomalous Connection / Multiple Failed Connections to Rare Endpoint’ to breach. This model examines devices attempting connections to a rare external endpoint over a short period of time, and it breached in response to almost all PlugX C2 related activity detected by Darktrace. This highlights Darktrace DETECT’s unique ability to identify anomalous activity which appears benign or uncertain, rather than relying on traditional signature-based detections.
New User Agent
Darktrace's Self-Learning AI approach to threat detection also allowed it to recognize connections to PlugX associated endpoints that utilized a new user agent. In almost all connections to PlugX endpoints detected by Darktrace, the same user agent, Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36, was observed, illustrating a clear pattern in PlugX-related activity
In one example from February 2023, an affected device successfully connected to an endpoint associated with PlugX, 45.142.166[.]112, while using the aforementioned new user agent, as depicted in Figure 3.
On March 21, 2023, Darktrace observed similar activity on a separate customer’s network affected by connections to PlugX. This activity included connections to the same endpoint, 45.142.166[.]112. The connection was an HTTP POST request made via proxy with the same new user agent, ‘Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36’. When investigated further this user agent actually reveals very little about itself and appears to be missing a couple of common features that are typically contained in a user agent string, such as a web browser and its version or the mention of Safari before its build ID (‘537.36’).
Additionally, for this connection the URI observed consisted of a random string of 8 hexadecimal characters, namely ‘d819f07a’. This is a technique often used by malware to communicate with its C2 servers, while evading the detection of signature-based detection tools. Darktrace, however, recognized that this external connection to an endpoint with no hostname constituted anomalous behavior, and could have been indicative of a threat actor communicating with malicious infrastructure, thus the ‘Anomalous Connection / Possible Callback URI’ model was breached.
Numeric File Download
Darktrace’s detection of PlugX activity on another customer’s network, in February 2023, helped to demonstrate related patterns of activity within the C2 communication and tooling attack phases. Observed PlugX activity on this network followed the subsequent pattern; a connection to a PlugX endpoints is made, followed by a HTTP POST request to a numeric URI with a random string of 8 hexadecimal characters, as previously highlighted. Darktrace identified that this activity represented unusual ‘New Activity’ for this device, and thus treated it with suspicion.
The device in question continued to connect to the endpoint and make HTTP POST connections to various URIs relating to PlugX. Additionally, the user agent `Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36` was again detected for these connections. Figure 6 details the activity captured by Darktrace’s Cyber AI Analyst.
Darktrace detected that during these connections, the device in question attempted to download a suspicious file named only with numbers. The use of numeric file names is a technique often used by threat actors to obfuscate the download of malicious files or programs and bypass traditional security tools. Darktrace understood that the download of a numeric file, coupled with the use of an anomalous new user agent, mean the incident should be treated with suspicion. Fortunately, Darktrace RESPOND was enabled in autonomous response mode during this attack, meaning it was able to automatically block the device from downloading the file, or any other files, from the suspicious external location for a two-hour period, potentially preventing the download of PlugX’s malicious tooling.
Conclusion
Amid the continued evolution of PlugX from an espionage tool to a more widely available malware, it is essential that threat detection does not rely on a set of characteristics or indicators, but rather is focused on anomalies. Throughout these cases, Darktrace demonstrated the efficacy of its detection and alerting on emerging activity pertaining to a particularly stealthy and versatile RAT. Over the years, PlugX has continually looked to evolve and survive in the ever-changing threat landscape by adapting new capabilities and TTPs through which it can infect a system and spread to new devices without being noticed by security teams and their tools.
However, Darktrace’s Self-Learning AI allows it to gain a strong understanding of customer networks, learning what constitutes expected network behavior which in turn allows it to recognize the subtle deviations indicative of an ongoing compromise.
Darktrace’s ability to identify emerging threats through anomaly-based detection, rather than relying on established threat intelligence, uniquely positions it to detect and respond to highly adaptable and dynamic threats, like the PlugX malware, regardless of how it may evolve in the future.
Credit to: Nahisha Nobregas, SOC Analyst & Dylan Hinz, Cyber Analyst
Appendices
MITRE ATT&CK Framework
Execution
- T1059.003 Command and Scripting Interpreter: Windows Command Shell
Persistence and Privilege Escalation
- T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder
- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
- T1574.002 Hijack Execution Flow: DLL Side-Loading
- T1543.003 Create or Modify System Process: Windows Service
- T1140 Deobfuscate / Decode Files or Information
- T1083 File and Directory Discovery
Defense Evasion
- T1564.001 Hide Artifacts: Hidden Files and Directories
- T1036.004 Masquerading: Task or Service
- T1036.005 Masquerading: Match Legitimate Name or Location
- T1027.006 Obfuscated Files or Information: HTML Smuggling
Credential Access
- T1056.001 Input Capture: Keylogging
Collection
- T1105 Ingress Tool Transfer
Command and Control
- T1573.001 Encrypted Channel: Symmetric Cryptography
- T1070.003 Mail Protocols
- T1071.001 Web Protocol
DETECT Model Breaches
- Anomalous Connection / Multiple Failed Connections to Rare Endpoint
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous File / New User Agent Followed By Numeric File Download
- Anomalous Connection / Possible Callback URL
Indicators of Compromise (IoCs)
IoC - Type - Description + Confidence
45.142.166[.]112 - IP - PlugX C2 Endpoint / moderate - high
103.56.53[.]46 - IP - PlugX C2 Endpoint / moderate - high
Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36 - User Agent - PlugX User Agent / moderate – high
/8891431c - URI - PlugX URI / moderate-high
/ba12b866 - URI - PlugX URI / moderate -high
References
1. https://www.crowdstrike.com/blog/dll-side-loading-how-to-combat-threat-actor-evasion-techniques/
2. https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
3. https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/
4. https://thehackernews.com/2023/07/chinese-hackers-use-html-smuggling-to.html
5. https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/
Like this and want more?
![Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/669973708ae3bd007b761051_Screenshot%202024-07-18%20at%2012.55.55%20PM.png)
![PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/669973c9c7e48724389cdff4_Screenshot%202024-07-18%20at%2012.57.50%20PM.png)
