The PlugX family of malware is well known to researchers, with samples dating back to 2008, according to Trend Micro researchers. PlugX is a Trojan remote access tool with features such as file upload, download and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell. This is commonly used by different threat groups in targeted attacks. PlugX is also known as KORPLUG, SOGU, DestroyRAT and is a modular backdoor that is designed to rely on executing signed and legitimate executables to load malicious code.
As we know, this allows cyber attackers to perform various malicious operations on a system without the user’s permission or authorization, such as copying and modifying files, logging keys, stealing passwords, and capturing screens of user activity. “PlugX, like other remote access tools, is used for discreet theft and to collect sensitive or profitable information for malicious purposes.
The different versions of PlugX malware maintained consistent methodologies for encryption, configuration, and persistence, despite the evolution of the tool’s development over the years. In 2014, there was a resurgence of this malware family, making it the most used family of that year.
Until the end of 2016, the methodology of this typical PlugX infection was the same: the malware payload was typically delivered via a phishing campaign, either as a self-extracting RAR file attached, a link to a file, or embedded. Although there have been several variants over the years, it is understood that although there are new variants the “original” PlugX variant is still in use today. Despite the evolution of methodologies and techniques of this, the classic variant of this continues to be successful and, as a result, they are still used in adverse campaigns which gives us to understand how dangerous this is since although years have passed, this version is still used.
Check also:
Emotet Trojan considerably increased in September
What are Trojans and how do they affect us?
