Category: PlugX

Category: PlugX

PlugX: some uncovered points

PlugX (or Korplug, or Gulpix) is a well-known RAT involved in many APT cases. Some excellent write-ups about this malware have already been published by the CIRCL, Sophos and AlienVault. Since we met it on an incident response case back in 2012, we followed its evolution to improve our knowledge, rules and tools. We’re planning

PlugX “v2”: meet “SController”

In our previous blog post about the PlugX RAT, we dealt with the original version, and recapped some internal features. Back in mid 2013, we started to see a new version of the RAT in the wild, with enough differences with the previous one to be considered as a new major version. We thus called

LeoUncia and OrcaRat

The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia. Status Let’s face it: px~NFEHrGXF9QA=2/5mGabiSKSCIqbiJwAKjf+Z81pOurL1xeCaw=1/xXiPyUqR/hBL9DW2nbQQEDwNXIYD3l5EkpfyrdVpVC8kp/4WeCaArZAnd+QEYVSY9QMw=2 URI taken from an OrcaRat sample.It looks a lot like: qFUtb6Sw/TytLfLsy/HnqI8QCX/ZRfFP9KL/_2yA9GIK/iufEXR2r/e6ZFBfoN/fcgL04f7/ZBzUuV5T/Balrp2Wm URI taken from

Latest changes in PlugX

It has been a while since we last wrote about PlugX RAT. JPCERT made a great blog post covering the latest features added to the RAT, such as: New protocol (raw IP protocol 0xff) P2P communications MAC address binding Process injection for UAC bypass New encoding algorithm This post aims at giving new elements we

Volatility plugin for PlugX updated

Just after releasing our previous blog post, we encountered a new PlugX variant using a bigger configuration than usual. We thus decided to study it and update our volatility plugin to handle the latest PlugX versions. The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4

Malware Sakula – Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x. It provides a lot of technical details to follow Sakula evolution. Some parts of the article can be a bit long to read, but the fact to put constants, pathes,

Getting a PlugX builder

PlugX has been a well-known RAT for the last 5 years, and we have written many blog posts about it. However, there has never been known released builders for this RAT, except the one from Ahnlab which allows the building of very old samples (2011), and another which was discussed in our previous post. Using

The OXID Resolver [Part 2] – Accessing a Remote Object inside DCOM

In the previous OXID Resolver Part 1 article [1], a way to remotely enumerate the network interfaces on a recent Windows OS machine has been described. This method does not require the knowledge of user credentials and relies on the ServerAlive2() RPC method. The latter is held by the IOXIDResolver interface. This article is dedicated

Back to top