Aliases: PlugX, Sogu, Kaba, Korplug
|Enterprise||T1059||Command-Line Interface||PlugX allows actors to spawn a reverse shell on a victim.|
|Enterprise||T1043||Commonly Used Port||PlugX has beaconed to its C2 over port 443.|
|Enterprise||T1094||Custom Command and Control Protocol||PlugX can be configured to use raw TCP or UDP for command and control.|
|Enterprise||T1073||DLL Side-Loading||PlugX has used to use DLL side-loading to evade anti-virus and to maintain persistence on a victim.|
|Enterprise||T1106||Execution through API||PlugX can use the Windows API function CreateProcess to execute another process.|
|Enterprise||T1036||Masquerading||In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."|
|Enterprise||T1026||Multiband Communication||PlugX can be configured to use multiple network protocols to avoid network-based detection.|
|Enterprise||T1050||New Service||PlugX can be added as a service to establish persistence.|
|Enterprise||T1012||Query Registry||PlugX can query for information contained within the Windows Registry.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||PlugX can add a Run key entry in the Registry to establish persistence.|
|Enterprise||T1071||Standard Application Layer Protocol||PlugX can be configured to use HTTP or DNS for command and control.|
|Enterprise||T1095||Standard Non-Application Layer Protocol||PlugX can be configured to use raw TCP or UDP for command and control.|
|Enterprise||T1127||Trusted Developer Utilities||A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.|
|Enterprise||T1102||Web Service||PlugX uses Pastebin to store its real C2 addresses.|
Groups that use this software:APT3
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
- Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.