Jump to content

Korplug military targeted attacks: Afghanistan & Tajikistan

Recommended Posts

  • Active Members

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one, related to Afghanistan & Tajikistan. The other campaign, where the targets were a number of high-profile organizations in Russia, will be the subject of Anton Cherepanov’s presentation at the ZeroNights security conference in Moscow this week.

Sometimes malware used in various attacks is unique enough to identify related incidents, which makes tracking individual botnets simpler. An example is the BlackEnergy Lite variant (also known as BlackEnergy 3) used by a group of attackers (that was then given the name Quedagh, or Sandworm) against targets in Ukraine and other countries. BlackEnergy Lite is clearly distinguishable from the numerous binaries of the more common BlackEnergy 2 also circulating in-the-wild.

In other cases, attackers use more common tools for accomplishing their criminal goals. For example, the Korplug RAT (a.k.a .PlugX) is a well-known toolkit associated with Chinese APT groups and used in a large number of targeted attacks since 2012. For the past several weeks we have taken a closer look at a great number of detections of this malware in many unrelated incidents.

Among these, we were able to discover several successful infections where the employed Korplug samples were connecting to the same C&C domain.

DOMAIN: www.notebookhk.net
Updated Date: 2013-11-12 18:03:45
Create Date: 2013-06-18 11:08:17
Registrant Name: lee stan
Registrant Organization: lee stan
Registrant Street: xianggangdiqu
Registrant City: xianggangdiqu
Registrant State: xianggang
Registrant Postal Code: 796373
Registrant Country: HK
Registrant Phone : +0.04375094543
Registrant Fax: +0.04375094543
Registrant Email:stanlee@gmail.com

Other Korplug samples were connecting to a different domain name resolving to the same IPs as notebookhk.net:

DOMAIN: www.dicemention.com
Updated Date: 2013-11-12 18:05:33
Create Date: 2013-09-10 14:35:11
Registrant Name: z x
Registrant Organization: z x
Registrant Street: xianggangdiqu
Registrant City: xianggangdiqu
Registrant State: xianggang
Registrant Postal Code: 123456
Registrant Country: HK
Registrant Phone : +0.0126324313
Registrant Fax: +0.0126324313
Registrant Email: 123@123.com

DOMAIN: www.abudlrasul.com
Updated Date: 2014-10-16 14:16:27
Create Date: 2014-10-16 14:16:27
Registrant Name: gang xin
Registrant Organization: gang xin
Registrant Street: Argentina Argentina
Registrant City: Argentina
Registrant State: Argentina
Registrant Postal Code: 647902
Registrant Country: AR
Registrant Phone : +54.0899567089
Registrant Fax: +54.0899567089
Registrant Email: woffg89@yahoo.com

Taking these C&Cs as a starting point, we were able to locate a number of victims infected through various exploit-laden spear-phishing documents and cunningly-named archives.

A table with a selection of RTF documents and RAR self-extracting archives with a .SCR extension is shown below:

[table=width: 500, class: grid, align: center]


[td]File name[/td]


English translation[/td]




[td]Situation Report about Afghan.doc[/td]















[td]???? ???????????? ?????????? ? ???????? ?????? ???????????? ??????? ?? ???? 2014 ?.scr[/td]

[td]Activity plan for military units in the Volga region in July 2014[/td]




[td]??????????????????????????????? ??? ?? .scr[/td]

[td]Telephone directory of the Ministry of Foreign Affairs of the Kyrgyz Republic[/td]




[td]? ?????? ?????????? ????????? ??????????????.scr[/td]

[td]About the Center for social adaptation of servicemen[/td]




[td]???????? ??????? ??? ???.scr[/td]

[td]Meeting minutes of the General Staff of the PRC[/td]




[td]???????????? ?????? ????? ???????????.scr[/td]

[td]Corrected action plan template[/td]




[td]Situation Report about Afghan.scr[/td]





[td]??????-???????????? ?????????? ? ??? ??04.10.2014.scr[/td]

[td]Military and political situation in Islamic Republic of Afghanistan (IRA) on 04.10.2014[/td]




[td]Afghan Air Force.scr[/td]





[td]???? ???????????.scr[/td]

[td]Action plan[/td]




Some of the above-mentioned files also contained decoy documents:


In all of the cases, three binary files were dropped (apart from decoy documents) that led to the Korplug trojan being loading into memory.


  • exe – a legitimate executable with a Kaspersky digital signature that would load a DLL with a specific file name
  • dll – a small DLL loader that would pass execution to the Korplug raw binary code
  • dll.avp – raw Korplug binary

The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.

The maliciously crafted documents are RTF files that successfully exploit the CVE-2012-0158 vulnerability in Microsoft Word. The image below shows the beginning of the CVE-2012-0158 shellcode in ASCII encoding within the document (the opcodes 60, 55, 8bec disassemble to pusha; push ebp; mov ebp, esp).


Interestingly, though, the documents also contain the newer CVE-2014-1761 exploit that was extensively used in targeted attacks carried out by a number other malware families this year (including BlackEnergy, Sednit, MiniDuke, and others). However, this exploit is not implemented correctly due to a wrong file offset in the 1st stage shellcode.

Below we see the disassembly of the 1st stage shellcode where it checks the presence of the tag “p!11” marking the beginning of the 2nd stage shellcode and loads it into memory. Even though the tag and 2nd stage shellcode is present in the RTF, it’s at a different offset, and thus never is loaded.


Sophos’ Gabor Szappanos gives a possible explanation how these malformed samples may have come into existence.

ESET LiveGrid telemetry indicates that the attacks against these targets have been going on since at least June 2014 and continue through today.

We were able to pinpoint the targets to residents of the following countries:

  • Afghanistan
  • Tajikistan
  • Russia
  • Kyrgyzstan
  • Kazakhstan

From the topics of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects.

Interestingly, most of the affected victims have another thing in common – a number of other RATs, file stealing trojans or keyloggers were detected on their systems on top of the Korplug RAT detection. One of these ‘alternative RATs’ was connecting to a domain also used by the Korplug samples.

Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish.

Additional information about two malware families that were most often found accompanying Korplug infections is given below.

Alternative Malware #1: DarkStRat

A curious Remote Access Trojan, as research points to a Chinese connection but the commands it listens to are in Spanish (translation in English):

  • CERRAR (close)
  • DESINSTALAR (uninstall)
  • SERVIDOR (server)
  • INFO
  • PING
  • PROC
  • VERUNIDADES (see units)
  • LISTARARCHIVOS (list files)
  • EXEC
  • CAMBIOID (change ID)
  • SERVICIOSLISTAR (list service)
  • INICIARSERVICIO (start service)
  • DETENERSERVICIO (stop service)
  • BORRARSERVICIO (erase service)
  • INSTALARSERVICIO (install service)

The malware can manage processes and services on the infected machine, transfer files to and from the C&C server, run shell commands, and so on. It is written in Delphi and connects to www.dicemention.com. Some samples contain a digital signature by “Nanning weiwu Technology co.,ltd”.

Alternative Malware #2: File Stealer

This malware, written in C, and contains several functions for harvesting files off the victim’s hard drive according to criteria set in the configuration file. Apart from doing a recursive sweep of all logical fixed and remote drives, it also continually monitors any attached removable media or network shares by listening to DBT_DEVICEARRIVAL events.

In addition to collecting files, the malware attempts to gather saved passwords, history of visited URLs, account information and proxy information from the following applications:

  • Microsoft Messenger
  • Microsoft Outlook
  • Microsoft Internet Explorer
  • Mozilla Firefox

The C&C domains used by this malware are:

  • newvinta.com
  • worksware.net

Some samples of this file stealer detected in these campaigns also contain the signature by “Nanning weiwu Technology co.,ltd” – another indicator that the infections are related.

List of SHA1 hashes:



Alternative Malware #1:


Alternative Malware #2:


Research by: Anton Cherepanov

Via Korplug military targeted attacks: Afghanistan & Tajikistan

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...