Threat Research

THREAT ANALYSIS REPORT: PlugX RAT Loader Evolution

Securonix

PlugX is a long-running, modular RAT used by Asia-based threat actors like APT27, featuring a loader that combines a legitimate executable, a malicious module, and a malicious payload. The report traces six loader samples from 2012–2022, detailing DLL side-loading, OS date checks, and in-memory deployment techniques. #PlugX #APT27 #ProxyLogon #JapanTourismAgency

Keypoints

  • The Rule of Three: PlugX loader consistently comprises three components—a legitimate executable, a malicious module, and a malicious payload—and this structure persists across campaigns.
  • Delivery often uses phishing emails and can exploit vulnerabilities (e.g., ProxyLogon) to deliver the archived loader formats (.zip/.rar/.SFX).
  • DLL Side-Loading is a core evasion technique, where a legitimate executable loads a malicious DLL to execute the PlugX payload.
  • OS datetime checks and versioning controls are used to restrict execution to targeted release windows (e.g., 2012-01-01, 2018 for px_2019).
  • Control flow manipulation patches the target executable’s entry point (e.g., JMP or PUSH/RET) to redirect execution into malware code.
  • Loader uses PEB_LDR_DATA (InInitializationOrderModuleList) to locate modules and resolve functions (GetProcAddress, LoadLibraryA) dynamically, enabling in-memory payload deployment.
  • Payload deployment involves RC4 decryption, LZ decompression (RtlDecompressBuffer), and in-memory loading of the PlugX PE, with StackString and code obfuscation as anti-analysis techniques.

MITRE Techniques

  • [T1574.001] DLL Side-Loading – The malware utilizes DLL Side-Loading as a main method to load a malicious DLL from a legitimate executable, like Acrobat Reader or a legacy Microsoft binary, for instance. “The malware utilizes DLL Side-Loading as a main method to load a malicious DLL from a legitimate executable, like Acrobat Reader or a legacy Microsoft binary, for instance.”
  • [T1566.001] Phishing – PlugX loader is commonly delivered via phishing emails. “PlugX loader is commonly delivered via phishing emails…”
  • [T1027] Obfuscated/Compressed Files and Information – Payload obfuscation and RC4-encrypted strings are used prior to decompression and execution. “RC4-encrypted strings” and “Code Obfuscation” are used to complicate analysis.
  • [T1055] Process Injection – The loader patches the EntryPoint and redirects control flow into code within NvSmartMax.dll, effectively injecting and executing through a modified process entry. “patching the EntryPoint to jump into a function at offset 0x1020 in NvSmartMax.dll.”
  • [T1190] Exploit Public-Facing Application – The loader can be delivered by exploiting public-facing vulnerabilities such as ProxyLogon. “delivered … by exploiting a vulnerability such as ProxyLogon”

Indicators of Compromise

  • [SHA-256 Hash] PlugX-related executables and payloads – 523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256, EAAA7899B37A3B04DCD02AD6D51E83E035BE535F129773621EF0F399A2A98EE3, and 10 more hashes
  • [File Name] Loader components – Nv.exe, NvSmartMax.dll, Nv.mp3 (and 9 more related files)

Read more: https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint