TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究のログ

PlugX (まとめ)

【概要】

■別名

マルウェア名 備考
PlugX
Sogu
Kaba
Korplug


【辞書】

◆PlugX (ATT&CK)
https://attack.mitre.org/software/S0013/


【ニュース】

◆正規のアプリケーションを狙う「PLUGX」の新たな亜種を確認 (TrendLabs, 2013/05/01)
http://blog.trendmicro.co.jp/archives/7156

◆正規のアプリに偽装し検出を回避する「PlugX」の亜種を確認(トレンドマイクロ) (NetSecurity, 2013/05/02 16:43)
http://scan.netsecurity.ne.jp/article/2013/05/02/31553.html

◆歴史的日付に関連したサイバー攻撃、予測よりも小規模に--技術レポート(IIJ) (NetSecurity, 2013/11/18)
http://scan.netsecurity.ne.jp/article/2013/11/18/32964.html

◆NTPサーバを踏み台としたDDoS攻撃が頻発--技術レポート(IIJ) (NetSecurity, 2014/05/27 08:00)
http://scan.netsecurity.ne.jp/article/2014/05/26/34248.html


【ブログ】

◆PlugX: New Tool For a Not So New Campaign (TrendLabs, 2012/09/10)
http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/

◆Tracking down the author of the PlugX RAT (Alienvault, 2012/09/13)
http://www.alienvault.com/open-threat-exchange/blog/tracking-down-the-author-of-the-plugx-rat

◆標的型攻撃用に特注されたRAT「PlugX」と「PoisonIvy」の緊密な関係が明らかに (TrendLabs, 2012/09/19)
http://blog.trendmicro.co.jp/archives/597

◆PlugX: New Tool For a Not So New Campaign (Trendmicro, 2012/09/10 10:00)
http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new-campaign/

◆Winnti returns with PlugX (SECURELIST, 2013/04/15 12:30 GMT)
http://www.securelist.com/en/blog/208194224/Winnti_returns_with_PlugX

◆From the Labs: New PlugX malware variant takes aim at Japan (nakedsecurity, 2013/12/04)
http://nakedsecurity.sophos.com/2013/12/04/new-plugx-malware-variant-takes-aim-at-japan/

◆Winnti returns with PlugX (SECURELIST, 2013/04/15 12:30 GMT)
http://www.securelist.com/en/blog/208194224/Winnti_returns_with_PlugX

◆Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick (FireEye, 2013/05/14)
http://www.fireeye.com/blog/technical/cyber-exploits/2013/05/targeted-attack-trend-alert-plugx-the-old-dog-with-a-new-trick.html

◆Inside the "PlugX" malware with SophosLabs - a fascinating journey into a malware factory... (nakedsecurity, 2013/05/20)
https://nakedsecurity.sophos.com/2013/05/20/inside-the-plugx-malware-with-sophoslabs-a-fascinating-journey-into-a-malware-factory/

◆新型PlugXの出現 (IIJ-SECT, 2013/11/21)
https://sect.iij.ad.jp/d/2013/11/197093.html

◆From the Labs: New PlugX malware variant takes aim at Japan (nakedsecurity, 2013/12/04)
http://nakedsecurity.sophos.com/2013/12/04/new-plugx-malware-variant-takes-aim-at-japan/

◆Adobe Flash Playerに存在するゼロデイ脆弱性、RAT「PlugX」に誘導 (TrendLabs Security Blog, 2014/02/25)
http://blog.trendmicro.co.jp/archives/8635

◆起動日時が設定されたRAT「PlugX」、C&C設定ダウンロードにDropboxを悪用 (Trendlabs Security Blog, 2014/06/27)
http://blog.trendmicro.co.jp/archives/9357


【公開情報】

◆PLUGX (Trendmicro)
http://150.70.65.162/malware.aspx?language=jp&name=PLUGX

◆標的型攻撃に利用されるPlugXの脅威とは (Trendmicro)
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=jp&name=Pulling+the+Plug+on+PlugX

◆PlugX “malware factory” celebrates CVE-2012-0158 anniversary with Version 6.0 (SophosLabs, 2013/05)
http://sophosnews.files.wordpress.com/2013/05/sophosszappanosplugxmalwarefactoryversion6-rev3.pdf

◆An Analysis of PlugX (lastline, 2013/01/04)
http://www.lastline.com/an-analysis-of-plugx

◆Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) (CIRCL, 2013/03/29)
https://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

◆TR-24 Analysis - Destory RAT family (circl.lu)
https://www.circl.lu/pub/tr-24/

◆White Paper: PlugX - Payload Extraction (Contextis, 2013/03)
http://www.contextis.com/files/PlugX_-_Payload_Extraction_March_2013_1.pdf

◆IIJ、インターネットの最新の技術動向・セキュリティ情報のレポート「Internet Infrastructure Review」Vol.21を発行 (IIJ, 2013/11/18)
http://www.iij.ad.jp/news/pressrelease/2013/1118.html

◆新型PlugXの出現 (IIJ, 2013/11/21)
https://sect.iij.ad.jp/d/2013/11/197093.html

◆An Analysis of PlugX (Lastline Labs)
http://labs.lastline.com/an-analysis-of-plugx

◆An Analysis of PlugX Using Process Dumps from High-Resolution Malware Analysis (Lastline Labs)
http://labs.lastline.com/an-analysis-of-plugx-using-process-dumps-from-high-resolution-malware-analysis


【資料】

◆An Analysis of PlugX (2013/01/04, lastline)
http://www.lastline.com/an-analysis-of-plugx

◆Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) (CIRCL, 2013/03/29)
https://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

◆White Paper: PlugX - Payload Extraction (Contextis, 2013/03)
http://www.contextis.com/files/PlugX_-_Payload_Extraction_March_2013_1.pdf

◆PlugX “malware factory” celebrates CVE-2012-0158 anniversary with Version 6.0 (SophosLabs, 2013/05)
http://sophosnews.files.wordpress.com/2013/05/sophosszappanosplugxmalwarefactoryversion6-rev3.pdf

◆The PlugX malware revisited: introducing “Smoaler” (Sophos, 2013/07)
http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf

◆Internet Infrastructure Review Vol.21 (2013年11月18日発行) (IIJ)
http://www.iij.ad.jp/company/development/report/iir/021.html

◆Internet Infrastructure Review(IIR)Vol.23 (IIJ, 2014/05/23)
https://www.iij.ad.jp/dev/report/iir/023.html


【関連情報】

f:id:tanigawa:20180922043745j:plain
PlugX ツールキット画面
出典: https://www.yomiuri.co.jp/science/goshinjyutsu/20160624-OYT8T50029.html#

f:id:tanigawa:20160626074000j:plain
出典: http://blog.trendmicro.co.jp/archives/5973


【インディケータ情報】

■ハッシュ情報(Sha256)

1a091c2ddf77c37db3274f649c53acfd2a0f14780479344d808d089faa809a
42813b3a43611efebf56239a1200f8fc96cd9f3bac35694b842d9e8b02a
28762c22b2736ac9728feff579c3256bd5d18bdfbf11b8c00c68d6bd905af5b8


【マルウェア検体のハッシュ】

◆PlugX
MD5: 2ca739538e18ce6f881694d99f6e22e9
SHA1: 88222c4fe9b9af8300b135229ad7b3303c299aab
SHA256: c1c80e237f6fbc2c61b82c3325dd836f3849ca036a28007617e4e27ba2f16c4b
SHA512: efafc12a6078989e31c35332fd8163d063ea37e098e056d9ad30722e9a65d0a1f6ec53051a9794fe83c4fc867c0b7dff1dc58f41a2072942c38b1253e94352c8
SSDEEP: 3072:qua3ds8DIoJtSq1fFPmYejhX1dwfx8Cr7A+35TCZUz2yEM:qua3xDRz1fgYej/dwfeO7AU0Ze2
authentihash: 214d5243ea92511a7d6423812d3ac25a16c4109737fb2c0554dcbb56156e64e1
imphash: 1b003e9291d7665df04b0ac0b5c53701
File Size: 172032 bytes
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
コンパイル日時: 2012/06/17 16:44:58
Debug Path: d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XPlug.h
File Name: plugx.dll
File Path: C:\DOCUME~1\User\LOCALS~1\Temp\plugx.dll
https://www.virustotal.com/ja/file/c1c80e237f6fbc2c61b82c3325dd836f3849ca036a28007617e4e27ba2f16c4b/analysis/
https://malwr.com/analysis/ZmIwYmMxY2JmNTlhNGIxMWIxMzU1YmZkOTg5ZDYxNjM/
https://www.threatcrowd.org/malware.php?md5=2ca739538e18ce6f881694d99f6e22e9
http://www.isthisfilesafe.com/sha1/88222C4FE9B9AF8300B135229AD7B3303C299AAB_details.aspx
Google 検索

◆PlugX
SHA256: 1a091c2ddf77c37db3274f649c53acfd2a0f14780479344d808d089faa809a
コンパイル日時: 2012/06/17 16:44:58
Debug Path: d:\work\Plug3.0(Gf)UDP\Shell6\Release\Shell6.pdb

◆PlugX
SHA256: 42813b3a43611efebf56239a1200f8fc96cd9f3bac35694b842d9e8b02a
コンパイル日時: 2012/05/26 07:16:08
Debug Path: d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h

◆PlugX
SHA256: 28762c22b2736ac9728feff579c3256bd5d18bdfbf11b8c00c68d6bd905af5b8
Debug Path: d:\work\plug3.1(icesword)\shellcode\shellcode\XPlug.h
コンパイル日時: 2012/06/14 6:06:00

■ハッシュ情報(MD5)

  • BD9FD3E199C3DAB16CF8C9134E06FE12
  • 215CEC7261D70A5913E79CD11EBC9ECC
  • 12181311E049EB9F1B909EABFDB55427

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019