Jump to content

Search the Community

Showing results for tags 'plugx'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users’ machines, could suggest eventual worldwide adoption. The malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike’s Global Threat Report, released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks. One of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure. By modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from “some of the more typically monitored protocols,” it’s made it more difficult to be detected over the past year or so. “The upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,” according to the report. One of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware’s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node. The malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the IceFog, Red October, and Cloud Atlas attacks. While some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware’s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware’s success and persistence over the years. The firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It’s thought that there’s either a central malware dissemination channel that’s pushing PlugX out to adversary groups or that groups that hadn’t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from “countries surrounding China’s sphere of influence,” the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment “could be a precursor to future worldwide use,” according Crowdstrike. “The ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.” Source
×
×
  • Create New...