PlugX

PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. [1] [2] [3] [4]

ID: S0013
Associated Software: DestroyRAT, Sogu, Kaba, Korplug

Type: MALWARE
Platforms: Windows

Version: 2.0

Associated Software Descriptions

NameDescription
DestroyRAT[5]
Sogu[1] [2][5]
Kaba[2]
Korplug[1][5]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfacePlugX allows actors to spawn a reverse shell on a victim.[4][5]
EnterpriseT1043Commonly Used PortPlugX has beaconed to its C2 over port 443.[6][5]
EnterpriseT1094Custom Command and Control ProtocolPlugX can be configured to use raw TCP or UDP for command and control.[4]
EnterpriseT1140Deobfuscate/Decode Files or InformationPlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[5]
EnterpriseT1073DLL Side-LoadingPlugX has used DLL side-loading to evade anti-virus.[2][4][7][6][8]
EnterpriseT1106Execution through APIPlugX can use the Windows API function CreateProcess to execute another process.[1]
EnterpriseT1083File and Directory DiscoveryPlugX has a module to enumerate drives and find files recursively.[5]
EnterpriseT1056Input CapturePlugX has a module for capturing keystrokes per process including window titles.[5]
EnterpriseT1036MasqueradingIn one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[9]
EnterpriseT1031Modify Existing ServicePlugX has a module to change service configurations as well as start, control, and delete services.[5]
EnterpriseT1112Modify RegistryPlugX has a module to create, delete, or modify Registry keys.[5]
EnterpriseT1026Multiband CommunicationPlugX can be configured to use multiple network protocols to avoid network-based detection.[4]
EnterpriseT1135Network Share DiscoveryPlugX has a module to enumerate network shares.[5]
EnterpriseT1050New ServicePlugX can be added as a service to establish persistence.[1][6][9][10]
EnterpriseT1057Process DiscoveryPlugX has a module to list the processes running on a machine.[5]
EnterpriseT1012Query RegistryPlugX can enumerate and query for information contained within the Windows Registry.[1][5]
EnterpriseT1060Registry Run Keys / Startup FolderPlugX adds Run key entries in the Registry to establish persistence.[1][6][5]
EnterpriseT1105Remote File CopyPlugX has a module to download and execute files on the compromised machine.[5]
EnterpriseT1113Screen CapturePlugX allows the operator to capture screenshots.[5]
EnterpriseT1071Standard Application Layer ProtocolPlugX can be configured to use HTTP or DNS for command and control.[4]
EnterpriseT1095Standard Non-Application Layer ProtocolPlugX can be configured to use raw TCP or UDP for command and control.[4]
EnterpriseT1049System Network Connections DiscoveryPlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.[5]
EnterpriseT1127Trusted Developer UtilitiesA version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.[8]
EnterpriseT1497Virtualization/Sandbox EvasionPlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".[11]
EnterpriseT1102Web ServicePlugX uses Pastebin to store C2 addresses.[8]

Groups

Groups that use this software:

APT3
DragonOK
menuPass
TA459
Threat Group-3390

References