The new version we encountered has a configuration size of 0x4ea4 bytes, while the previous one was only 0x36e4 bytes long.
This expansion of the configuration size means that new features have been added to the RAT, effectively improving the blacklist mechanism that appeared in the previous version.
While this blacklist was first limited to a specific MAC address, the RAT can now terminate itself if one of the following conditions is met:
- a specific process is running
- a specific file exists on the file system
- a specific key exists in the registry
For each of these conditions, the configuration can hold up to 8 values.
Unfortunately, all the samples we found so far had this configuration part empty. However, the volatility plugin has been updated to support this new size, as well as the previous one. The plugin has also been tested on Windows 7 x64, as requested by many users:
$ vol.py --profile Win7SP1x64 -f /tmp/JOHN-PC-20150831-150808.raw plugxconfig Volatility Foundation Volatility Framework 2.4 -------------------------------------------------------------------------------- Process: svchost.exe (3716) PlugX Config (0x4ea4 bytes): Flags: True True True True True True False False False False Timer 1: 10 secs Timer 2: 0 secs Custom DNS 1: 8.8.8.8 C&C Address: web.REDACTED.us:80 (UDP) C&C Address: web.REDACTED.us:443 (UDP) URL 1: https://plus.google.com/u/0/REDACTED/about Persistence Type: Service + Run Key Install Dir: %ProgramFiles%\Common Files\svacs\ Service Name: svacs Service Disp: System Video Auto Compress Service Service Desc: System Video Auto Compress Service Registry hive: HKEY_CURRENT_USER Registry key: Software\Microsoft\Windows\CurrentVersion\Run Registry value: svacs Net injection: True Net injection process: %windir%\system32\svchost.exe Elevation injection: True Elevation injection process: %windir%\system32\msiexec.exe Online Pass: lao1 Memo: DaH Mutex: Global\vMrQftvtXBnRYt Screenshots: False Screenshots params: 10 sec / Zoom 50 / 16 bits / Quality 50 / Keep 3 days Screenshots path: %AUTO%\whacs\screen -------------------------------------------------------------------------------- Process: msiexec.exe (976) PlugX Config (0x4ea4 bytes): Flags: True True True True True True False False False False Timer 1: 10 secs Timer 2: 0 secs Custom DNS 1: 8.8.8.8 C&C Address: web.REDACTED.us:80 (UDP) C&C Address: web.REDACTED.us:443 (UDP) URL 1: https://plus.google.com/u/0/REDACTED/about Persistence Type: Service + Run Key Install Dir: %ProgramFiles%\Common Files\svacs\ Service Name: svacs Service Disp: System Video Auto Compress Service Service Desc: System Video Auto Compress Service Registry hive: HKEY_CURRENT_USER Registry key: Software\Microsoft\Windows\CurrentVersion\Run Registry value: svacs Net injection: True Net injection process: %windir%\system32\svchost.exe Elevation injection: True Elevation injection process: %windir%\system32\msiexec.exe Online Pass: lao1 Memo: DaH Mutex: Global\vMrQftvtXBnRYt Screenshots: False Screenshots params: 10 sec / Zoom 50 / 16 bits / Quality 50 / Keep 3 days Screenshots path: %AUTO%\whacs\screen
This update has been pushed to our bitbucket repository. As always, feel free to give us your feedback and/or report any bug you find.