Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

SophosLabs research uncovers new developments in PlugX APT malware

February 25, 2015 No Comments

SOURCE: Sophos Labs

The notorious PlugX APT group is continuing to evolve and launch campaigns, most recently a five-month-long campaign targeting organizations in India.

PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to a new technical paper from SophosLabs Principal Researcher Gabor Szappanos.

Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

This reinforces a point made by Szapi in a previous paper: although APT groups are often unsophisticated in terms of their exploit mastery, they have other skills that make them effective at what they do.

In Gabor’s words:

This new shellcode also indicates some heavy development in the PlugX factory. Both this kind of multi-stage shellcode and the external cryptor indicate that although the group is not top class in exploit development, in conventional malware development they show serious skills, which makes them dangerous.

To learn more technical details about this latest APT campaign, and to see malware samples and the exploit documents used in the campaign, download the paper here: PlugX Goes to the Registry (and India).

Learn more about PlugX

Gabor has been following the developments of PlugX for the past two years.

In his previous research, he’s documented how “common” malware authors, such as those behind the Zbot/Zeus financial malware, had begun borrowing techniques from APT groups.

Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like CryptoLocker and CryptoWall to make money for its masters.

Gabor later showed that the borrowing of ideas was swinging back the other way, as APT groups in the “Rotten Tomato” campaign showed signs of borrowing code from the Zbot malware authors.

The merging of APTs and common malware has led Gabor to ask – “Are APTs the new normal?”

How to defend against APTs

Gabor’s research shows us that patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.

If you want to find out more about how APTs work and what you can do to protect yourself against them, download our free whitepaper (registration required), or check out a presentation of our recent webcast on pragmatic approaches to APT protection.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Leave a Reply

(required)

(required)


ADVERTISEMENT

DTX ExCeL London

WomeninTech