PlugX Chronicles

This blog-post is to compile list of articles and information bits about the PlugX - malware used as a RAT by several APT groups.

PlugX Tracker - http://ptrack.h3x.eu
PlugX Unsorted Corpus (not categorized samples) http://ptrack.h3x.eu/corpus/297
PlugX Corpus of Setup files (usually RAR SFX) http://ptrack.h3x.eu/corpus/290
PlugX Corpus of EXE (usually signed goodware) http://ptrack.h3x.eu/corpus/291
PlugX Corpus of DLL (malicious stub to load the encrypted payload) http://ptrack.h3x.eu/corpus/292
PlugX Corpus of ENC (encrypted payload) http://ptrack.h3x.eu/corpus/293
PlugX Corpus of DOC (phish documents with embedded PlugX) http://ptrack.h3x.eu/corpus/295

Materials on the topic:

• 2015-11-24 - PaloAltoNetworks - Attack Campaign on the Government of Thailand Delivers Bookworm Trojan
• 2015-11-06 - Volatility Labs - PlugX: Memory Forensics Lifecycle with Volatility - announcement
• 2015-10-29 - Michael Ligh / Volatility Labs - PlugX: The Memory Forensics Lifecycle - presentation
• 2015-10-16 - Citizenlab - Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites
• 2015-10-15 - Charles Rami / Proofpoint - Le cheval de Troie PlugX à l’assaut de l’armée et des télécommunications en Russie
• 2015-10-08 - Sarah Silvestriadis / Wapack Labs - PlugX malware is highly customizable for hackers to pick up – bad news for confidential data
• 2015-09-15 - In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia
• 2015-09-13 - Christian - Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure
• 2015-09-08 - Fabien Perigaud - Volatility plugin for PlugX updated
• 2015-09-04 - Threat Research Team Goes “Beyond the Exploit” in Search of Payloads from MS15-093
• 2015-08-20 - ASERT Threat Intelligence Report 2015-05 PlugX Threat Activity in Myanmar
• 2015-08-19 - Symantec - New Internet Explorer zero-day exploited in Hong Kong attack
• 2015-08-19 - Sara Peters - IE Bug Exploited In Wild After Microsoft Releases Out-Of-Band Patch
• 2015-08-19 - Andra Zaharia - Security Alert: Millions Exposed to Cyber Attacks Because of Internet Explorer Vulnerability
• 2015-08-08 - Christian: Poison Ivy and Links to an Extended PlugX Campaign
• 2015-08-06 - Fabien Perigaud/Airbus - Latest changes in PlugX
• 2015-08-05 - Dell - Threat Group-3390 Targets Organizations for Cyberespionage
• 2015-08-03 - Jason Jones / Arbor - Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically
• 2015-07-30 - Sudeep Singh, Kenneth Hsu / FireEye - CVE-2015-0097 Exploited in the Wild
• 2015-07-28 - FBI Flash - Alert Number A-000063-MW - Plugx
• 2015-06-?? - Paul Shomo - The OPM Hack: I Smell a RAT
• 2015-06-18 - Ellen Nakashima / The Washington Post - Chinese had access to U.S. security clearance data (OPM) for one year
• 2015-04-24 - Roddell Santos / TrendMicro - New Wave of PlugX Targets Legitimate Apps
• 2015-02-15 - Gabor Szappanos / Sophos - plugx-goes-to-the-registry-and-india.pdf
• 2015-02-15 - John Zorabedian / Sophos - research uncovers new developments in PlugX APT malware
• 2015-01-29 - Shusei Tomonaga / JPCERT - Analysis of a Recent PlugX Variant - “P2P PlugX”
• 2014-11-12 - Robert Lipovsky / Korplug military targeted attacks: Afghanistan & Tajikistan
• 2014-10-30 - Gabor Szappanos / Sophos - sophos-rotten-tomato-campaign.pdf
• 2014-10-30 - John Zorabedian / Sophos - The Rotten Tomato Campaign: New SophosLabs research on APTs
• 2014-09-01 - Brandon Dixon - Plugx Development Testing
• 2014-09-01 - @9bplus - Watching Attackers Through Virustotal
• 2014-08-14 - Ned Moran, Joshua Homan, Mike Scott / FireEye - Operation Poisoned Hurricane
• 2014-07-24 - Geok Meng Ong, Chong Rong Hwa / FireEye - Pacific Ring of Fire: PlugX / Kaba
• 2014-07-02 - John Zorabedian / Sophos - The next generation of the PlugX APT – new SophosLabs research
• 2014-06-30 - Gabor Szappanos / Sophos - plugx-thenextgeneration.pdf
• 2014-06-30 - Gabor Szappanos / Sophos - PlugX - the next generation
• 2014-03-31 - Takahiro Haruyama - I Know You Want Me - Unplugging PlugX
• 2014-03-27 - Takahiro Haruyama/CCI - ID/IDAPython scripts extracting PlugX configs
• 2014-03-12 - Takahiro Haruyama - PlugX Builder/Controller (Type III, 0x840)
• 2014-01-29 - Fabien Perigaud / Airbus - PlugX "v2": meet "SController"
• 2014-01-06 - Fabien Perigaud / Airbus - PlugX: some uncovered points
• 2013-12-17 - Roman Vasilenko, Kyle Creyts / Lastline - An Analysis of PlugX Malware
• 2013-12-05 - John Zorabedian / Sophos - SophosLabs researchers dissect PlugX Trojan targeting users in Japan
• 2013-11-12 - Nart Villeneuve, Mike Scott / FireEye - Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-3906
• 2013-05-14 - FireEye - Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick
• 2013-03-26 - Kevin O’Reilly /Contextis - PlugX_-_Payload_Extraction_March_2013_1.pdf
• 2012-11-27 - Dmitry Tarakanov / Kaspersky Securelist - PlugX is Becoming Mature
• 2012-09-17 - Abraham Camba / TrendMicro - Unplugging PlugX Capabilities
• 2012-09-13 - AlienVault - Tracking Down the Author of the PlugX RAT
• 2012-09-10 - Roland Dela Paz / TrendMicro - PlugX: New Tool For a Not So New Campaign