Some days ago, TrendMicro published some information about a new version of a RAT called PlugX. From the last few months we have been tracking a group using the PlugX RAT that has been attacking different targets especially in Japan, Taiwan, Korea and against Tibetan organizations and individuals.

In this post we will focus on the intelligence we have extracted from the payloads of the attacks and how we used this information to track the author of the RAT that is very likely to be involved in the attacks as well.

During the past few months we have seen some spearphishing campaigns against Tibetan targets using mainly Microsoft Office Exploits (CVE-2012-0158). Those documents used a very tricky technique; the payload dropped was a benign Nvidia executable (NvSmart.exe), a DLL (NvSmartMax.dll) and a binary file (boot.ldr) This technique was explained by Symantec as well.

NvSmart.exe

https://www.virustotal.com/file/523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256/analysis/

 

As we can see the binary file is signed by Nvidia since it is a benign file used on some Nvidia applications. Once NvSmart.exe is executed, it loads NvSmartMax.dll. The attackers drop a modified version of NvSmartMax.dll which executes the binary content present on boot.ldr that contains the actual malicious code.

Since NvSmart.exe is configured to run when the computer starts and it contains a valid digital signature, it will bypass some of the OS restrictions and the malicious code will be executed when the system boots.

Once the payload is executed, a decoy file is shown to the user as in most of the attacks we have seen in the past few years.

Here is an example of some of the decoy content used by the attackers:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It happens that in most of the boot.ldr files we have found the RAT called PlugX.

At the beginning of our investigations some months ago, we found out that in some of the PlugX binaries we were able to extract some debug paths like:

Hash: c1c80e237f6fbc2c61b82c3325dd836f3849ca036a28007617e4e27ba2f16c4b

Debug Path: d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XPlug.h

Compilation date: 6/17/2012 16:44:58

 

Hash: 1a091c2ddf77c37db3274f649c53acfd2a0f14780479344d808d089faa809a_HHDL’s Birthday Celebration.doc

Debug Path: d:\work\Plug3.0(Gf)UDP\Shell6\Release\Shell6.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 42813b3a43611efebf56239a1200f8fc96cd9f3bac35694b842d9e8b02a

Debug Path: d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h

Compilation date: 5/26/2012 7:16:08

 

Hash: 28762c22b2736ac9728feff579c3256bd5d18bdfbf11b8c00c68d6bd905af5b8

Debug Path: d:\work\plug3.1(icesword)\shellcode\shellcode\XPlug.h

Compilation date: 6/14/2012 6:06:00
It seems that there are several versions of the RAT and if you take a look at the binaries you will realize that there are some changes and new capabilities in each version.

We searched through our collection to see if we could find other XPlug samples apart from the ones dropped by the malicious documents we had. We found some other samples:

Hash: 3b01677582e7a56942a91da9728c6251- financial_report.exe

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 60ee900d919da8306b7b6dbe7e62fee49f00ccf141b2e396f5a66be51a00e34f

Debug Path: C:\Documents and Settings\whg\\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 2012-03-12 07:04:12

 

Hash: c00cd2dcddbb24383a3639ed56e68a24dc4561b1248efa4d53aa2b68220b4b2a

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 3/12/2012 14:23:58

As we can see the debug paths found on those files are a bit more interesting since the path contains a username “whg”. We have two different paths, “C:\Documents and Settings\whg\” and  “C:\Users\whg\” so it is likely that in the first case the author is using a Windows XP system and in the second one he is using a Vista/7 system.

With this information, we began to search binary files that contain similar debug paths. Our search found an application called SockMon that leads us to http://www.cnasm.com/view.asp?classid=49&newsid=320 and http://www.cnasm.com/view.asp?classid=49&newsid=315.

The debug paths that we found in files that belong to a different SockMon version are the following ones:

C:\Users\whg\Desktop\SockMon2011\SockMon\UnitCache.pas

c:\Documents and Settings\whg\SockMon2010\RunProtect\Release\RunProtect.pdb

c:\Documents and Settings\whg\\SockMon2010\SmComm\Release\SmComm.pdb

We also found another library called vtcp (http://www.cnasm.com/vtcpsdk/) that contains the following debug path:

C:\Users\whg\Desktop\vtcp11.0lib\vtcpT0\UnitMain.pas

Does this all look familiar to you?. It seems that the user “whg” has compiled these components and he is also running a couple of machines with different paths that correspond to the ones we found on the XPlug RAT.

If we take a look at cnasm.com we can find the following contact information:

email: whg0001 at 163.com

QQ: 312016

So the mail address also coincide with the username we found in the debug path of the RAT samples.

Let’s see what we find about whg0001 at 163.com. The mail address was used as the administrative contact of the domain chinansl.com back in 2000:

Domain Name      : chinansl.com

PunnyCode        : chinansl.com

Creation Date    : 2000-08-08 00:00:00

Updated Date     : 2012-02-29 11:26:22

Expiration Date  : 2013-08-08 00:00:00

 

Registrant:

Organization   : chinansl technology co.，itd

Name           : lishiyun

Address        : Room E8BC , XiangFu Garden , 3rd Southern portion of 2nd ringroad , Chengdu , Si

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

 

Administrative Contact:

Name           :

Organization   : chinansl technology co.，itd

Address        :

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

Phone Number   :

Fax            : 086-028-85459578

Email          : whg0001@163.com

In this link you can find more information about the company, overview:

Company Name: CHINANSL TECHNOLOGY CO.,LTD.

Address: Chengdu National Information Security Production Industrialization Base , 2nd Floor ,No.8 Chuangye   Road

Telephone: 02866853362

Custom Code: 5101730218773

Company Code: 730

Account-opening Bank: Xisanqi Sub-branch, Beijing Branch, Bank of China

Account Name: Beijing Lingtong Economic Consulting Co., Ltd

Account Number: 813715881608091001

 

 
 

 
 

 
 
 
 

From the information we collected it seems to be a Chinese company related to the security industry. Of course!

We also found a software component called “Parent Carefree Filter”

https://www.virustotal.com/file/3babb326615b899e976a1a9dc51ec04118701a5de702494f1d363194060c5db7/analysis/

publisher…………….: CHINANSL

product………………: Parent Carefree Filter

internal name…………: FamHook

file version………….: 3, 0, 0, 1

original name…………: FamHook.dll

copyright…………….: CHINANSL

description…………..: Parent Carefree Filter

And of course we found similar debug paths on the file:

c:\Documents and Settings\whg\Pnw(all)\Pc()\FamHook\Release\FamHook.pdb

You can find some advisories that Chinansl published back to 2000:

CHINANSL Security Advisory(CSA-200110)

Tomcat 4.0-b2 for winnt/2000 show “.jsp” source Vulnerability

CHINANSL Security Advisory(CSA-200011)

PHP AND APACHE Vulnerability

CHINANSL Security Advisory(CSA-200012)

Ultraseek Server 3.0 Vulnerability

CHINANSL Security Advisory(CSA200013)

IBM WCS local user exceed his authority to access another file

CHINANSL Security Advisory(CSA-200105)

Tomcat 3.0 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200106)

JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200108)

Tomcat 3.2.1 for win2000 Directory traversal

CHINANSL Security Advisory(CSA-200107)

IBM WCS 4.0.1 + Application Server 3.0.2 for Solaris 2.7 show “.jsp” source Vulnerability.

CHINANSL Security Advisory(CSA-200109)

Tomcat 4.0-b1 for winnt/2000 show “.jsp” source Vulnerability.

 

About whg0001 we can find several references on the Internet about him.

https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=54500

http://bbs.krshadow.com/thread-58032-1-1.html

They describe him as “Virus expert. Proficient in assembly.”.

And finally here is the CSDN profile where you can find a photo of him:

 

 

 

 

 

 

 

 

At this point you must be thinking we cannot accuse whg of being related to the XPlug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?

Ok, here is the final touch. After searching for more versions of the PlugX RAT we found these two samples:

2ba7f1cc1f46a17ccfbef6b327d8c4e47f9d56922debcad27e5db569f4cf818d

51e50d810172591ee04e12cfce0792f3154356588eacadc01288e3a4fda915fb

They contains this debug path:

i:\work\plug2.0()\shellcode\shellcode\XPlug.h

and the following URL:

http://tieba.baidu.com/f?kz=866965377

that seems to be used as a test or to check connectivity (more info in future posts).

Surprisingly when you open the URL you can see the following:

 

 

 

 

 

 

 

is this guy familiar to you?

With the information we have, we can say that this guy is behind the active development of the PlugX RAT. We can also say he has probably some inside of the operations since this path

“d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h” tells us that he knew the RAT was going to be weaponized through the Nvsmart technique to be used in the spearphishing campaigns.

According to the information on this research  a previous version of this malware also called Thoper/Tvt/Sogu was used to compromise SK Communications in South Korea back in 2011.