The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4 bytes long.
This expansion of the configuration size means that new features have been added to the RAT, effectively improving the blacklist mechanism that appeared in the previous version.

While this blacklist was first limited to a specific MAC address, the RAT can now terminate itself if one of the following conditions is met:

  • a specific process is running
  • a specific file exists on the file system
  • a specific key exists in the registry

For each of these conditions, the configuration can hold up to 8 values.

Unfortunately, all the samples we found so far had this configuration part empty. However, the volatility plugin has been updated to support this new size, as well as the previous one. The plugin has also been tested on Windows 7 x64, as requested by many users:

$ vol.py --profile Win7SP1x64 -f /tmp/JOHN-PC-20150831-150808.raw plugxconfig 
Volatility Foundation Volatility Framework 2.4
--------------------------------------------------------------------------------
Process: svchost.exe (3716)

PlugX Config (0x4ea4 bytes):
	Flags: True True True True True True False False False False
	Timer 1: 10 secs
	Timer 2: 0 secs
	Custom DNS 1: 8.8.8.8
	C&C Address: web.REDACTED.us:80 (UDP)
	C&C Address: web.REDACTED.us:443 (UDP)
	URL 1: https://plus.google.com/u/0/REDACTED/about
	Persistence Type: Service + Run Key
	Install Dir: %ProgramFiles%\Common Files\svacs\
	Service Name: svacs
	Service Disp: System Video Auto Compress Service
	Service Desc: System Video Auto Compress Service
	Registry hive: HKEY_CURRENT_USER
	Registry key: Software\Microsoft\Windows\CurrentVersion\Run
	Registry value: svacs
	Net injection: True
	Net injection process: %windir%\system32\svchost.exe
	Elevation injection: True
	Elevation injection process: %windir%\system32\msiexec.exe
	Online Pass: lao1
	Memo: DaH
	Mutex: Global\vMrQftvtXBnRYt
	Screenshots: False
	Screenshots params: 10 sec / Zoom 50 / 16 bits / Quality 50 / Keep 3 days
	Screenshots path: %AUTO%\whacs\screen
--------------------------------------------------------------------------------
Process: msiexec.exe (976)

PlugX Config (0x4ea4 bytes):
	Flags: True True True True True True False False False False
	Timer 1: 10 secs
	Timer 2: 0 secs
	Custom DNS 1: 8.8.8.8
	C&C Address: web.REDACTED.us:80 (UDP)
	C&C Address: web.REDACTED.us:443 (UDP)
	URL 1: https://plus.google.com/u/0/REDACTED/about
	Persistence Type: Service + Run Key
	Install Dir: %ProgramFiles%\Common Files\svacs\
	Service Name: svacs
	Service Disp: System Video Auto Compress Service
	Service Desc: System Video Auto Compress Service
	Registry hive: HKEY_CURRENT_USER
	Registry key: Software\Microsoft\Windows\CurrentVersion\Run
	Registry value: svacs
	Net injection: True
	Net injection process: %windir%\system32\svchost.exe
	Elevation injection: True
	Elevation injection process: %windir%\system32\msiexec.exe
	Online Pass: lao1
	Memo: DaH
	Mutex: Global\vMrQftvtXBnRYt
	Screenshots: False
	Screenshots params: 10 sec / Zoom 50 / 16 bits / Quality 50 / Keep 3 days
	Screenshots path: %AUTO%\whacs\screen

This update has been pushed to our bitbucket repository. As always, feel free to give us your feedback and/or report any bug you find.