Inside the Briefcase

Webcast: HOW TO SCALE A DATA LITERACY PROGRAM AT YOUR ORGANIZATION

Webcast: HOW TO SCALE A DATA LITERACY PROGRAM AT YOUR ORGANIZATION

Join data & analytics leaders from Starbucks, Cardinal Health,...

How EverQuote Democratized Data Through Self-Service Analytics

How EverQuote Democratized Data Through Self-Service Analytics

During our recent webinar on scaling self-service analytics, AtScale...

How Analytics Governance Empowers Self-Service BI

How Analytics Governance Empowers Self-Service BI

The benefit of implementing analytics policies at the semantic...

How To Create A Powerful SMS Marketing Strategy

How To Create A Powerful SMS Marketing Strategy

Many small businesses are looking for more ways to...

Emerging Frameworks & Technologies that Combat the Rising Threat of Cyber Attacks

Emerging Frameworks & Technologies that Combat the Rising Threat of Cyber Attacks

The creation of the first computer virus in 1971...

SophosLabs research uncovers new developments in PlugX APT malware

February 25, 2015 No Comments

SOURCE: Sophos Labs

The notorious PlugX APT group is continuing to evolve and launch campaigns, most recently a five-month-long campaign targeting organizations in India.

PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to a new technical paper from SophosLabs Principal Researcher Gabor Szappanos.

Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

This reinforces a point made by Szapi in a previous paper: although APT groups are often unsophisticated in terms of their exploit mastery, they have other skills that make them effective at what they do.

In Gabor’s words:

This new shellcode also indicates some heavy development in the PlugX factory. Both this kind of multi-stage shellcode and the external cryptor indicate that although the group is not top class in exploit development, in conventional malware development they show serious skills, which makes them dangerous.

To learn more technical details about this latest APT campaign, and to see malware samples and the exploit documents used in the campaign, download the paper here: PlugX Goes to the Registry (and India).

Learn more about PlugX

Gabor has been following the developments of PlugX for the past two years.

In his previous research, he’s documented how “common” malware authors, such as those behind the Zbot/Zeus financial malware, had begun borrowing techniques from APT groups.

Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like CryptoLocker and CryptoWall to make money for its masters.

Gabor later showed that the borrowing of ideas was swinging back the other way, as APT groups in the “Rotten Tomato” campaign showed signs of borrowing code from the Zbot malware authors.

The merging of APTs and common malware has led Gabor to ask – “Are APTs the new normal?”

How to defend against APTs

Gabor’s research shows us that patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.

If you want to find out more about how APTs work and what you can do to protect yourself against them, download our free whitepaper (registration required), or check out a presentation of our recent webcast on pragmatic approaches to APT protection.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

SECURITY

Leave a Reply

(required)

(required)


ADVERTISEMENT

Gartner