Security Alert: PlugX Malware

A specific remote access malware – PlugX – that is being utilized in recent intrusions is reported to contain infrastructure originating from China. The PlugX malware has been used to compromise various U.S. Government and commercial industries including aerospace, entertainment, healthcare, and telecommunications networks. These intrusions resulted in the theft of sensitive information including bulk amounts of personally identifiable information.

The PlugX malware is delivered via spear phishing emails containing a malicious RTF or Word document which leverages exploit code for the CVE-2012-0158 vulnerability – including the Korplug, Gulpix, Kaba, Sogu and P2P variants. These malware types allow the following functions and operations on the infected host:

  • Collect running process and module information
  • Start/stop, load, and reconfigure system services
  • Create/delete files
  • Modify the system’s registry
  • Acquire detailed system information
  • Log user’s keystrokes
  • Capture screenshots
  • Monitor network resources and connections
  • Connect and make queries to SQL databases
  • Peer-to-Peer communication

Per US-CERT, the following top 5 practices are applicable to helping mitigate the impact of advanced adversaries using PlugX malware:

  • Application Whitelisting which limits the ability of malicious software and unapproved programs from running
  • Patch Applications (e.g., Java, PDF viewers, Flash, web browsers, and Microsoft Office)
  • Patch Operating System Vulnerabilities (used for extreme risk vulnerabilities)
  • Limit Administrative Privileges based on user position
  • Network Segmentation and Segregation into Security Zones – help protect sensitive information and critical services
Print Friendly, PDF & Email