PlugX is a covert malware linked to cyber espionage and targeted attacks, with a history of evasion and modular capabilities. Splunk Threat Research Team provides a deep dive into a PlugX variant, covering its side-loading, multi-layer payload decryption, and operational behaviors from payload extraction to C2 communications. #PlugX #msbtc
Keypoints
- PlugX variant analyzed focuses on DLL side-loading to discreetly execute its code, initiated when a legitimate msbtc.exe is run.
- The payload undergoes a multi-layer decryption/decompression chain, starting with RC4 via Version.DLL and followed by XOR operations and RtlDecompressBuffer to produce a headless payload.
- CFG data is decrypted using the same RC4 key as the DLL, enabling configuration extraction for the malware’s behavior.
- A Python tool named plugx_extractor.py automates extraction of the PlugX payload and config for analysis.
- Process masquerading is used by injecting the headless payload into msdtc.exe (Microsoft Distributed Transaction Coordinator) and checking command-line parameters (-a, -b).
- System info and network discovery are performed, including user/computer/OS data and ipinfo.io queries to gather external IP and network context.
- Firewall rules are created to permit C2 communication on a chosen port (e.g., 7777), aiding covert operations and data exfiltration.
- Persistence and payload loading are achieved via a Windows service overlay on msbtc.exe, enabling automated decryption and dynamic payload injection.
- Other operational actions include dropping components to %programdata%MSB, impersonating the logged-on user via explorer.exe, and keylogging with data exfiltration to a local kl file.
MITRE Techniques
- [T1574.001] DLL Side-Loading – “leverages the side-loading technique to discreetly execute its nefarious code.”
- [T1055] Process Injection – “inject it into legitimate ‘msdtc.exe,’ which stands for Microsoft Distributed Transaction Coordinator.”
- [T1036] Masquerading – “Process Masquerading” by disguising activity through legitimate processes.
- [T1082] System Information Discovery – “retrieves the compromised host’s username, computer name, and operating system information.”
- [T1016] System Network Configuration Discovery – “initiates queries to the ipinfo.io website” to obtain external network context.
- [T1562.004] Impair Defenses: Modify Firewall – “adding a firewall rule … to permit incoming network traffic for a specific TCP port” (port 7777).
- [T1543.003] Create or Modify System Process: Windows Service – “installation of a service … overlay onto the legitimate msbtc.exe executable.”
- [T1070] Indicator Removal on Host – “eliminate or clean-up any traces of its previous installations and related artifacts.”
- [T1056.001] Keylogging – “Keylogger and Process Monitoring” with data stored and exfiltrated.
Indicators of Compromise
- [File] msbtc.cfg – 416 bytes; SHA256: 66f9cc42c27cf689911f6ba3e24ad9cbec6fa3066a50c448d4cbf5d8a66d2eb5
- [File] msbtc.dat – 697243 bytes (680 KiB); SHA256: f991c13a24df578a9f31741a263dc1405eac660d4e749465991bac68eccdc490
- [File] msbtc.exe – 310384 bytes (303 KiB); SHA256: fca2fad3466fefebd6df133d48485374ca647dedcc2ef9ba52e7d0ccdbf91000
- [File] VERSION.dll – 230912 bytes (225 KiB); SHA256: 64c5c9732a97f9b088e63173cb8781cae33d29934fdbe3652393394c4188d15c