The Dell SonicWALL Threat Research team has received reports of a Trojan called PlugX or Korplug which has recently been seen compromising various U.S. Government entities and other industries such as aerospace, media, healthcare and telecommunication networks. This Trojan has been reported to be in existence since 2008 and over the few years, PlugX has seen continuous development and use in targeted attacks resulting to theft of sensitive information.

Infection Cycle:

PlugX has previously been seen bundled with online game installations but more recently seen delivered via email spear phishing. These emails would contain a malicious rich text document which utilizes vulnerabilities in Microsoft Word which could allow remote code execution. Several variants have leveraged exploits for CVE-2012-0158 and CVE-2014-1761; both of which have been resolved by Microsoft.

Once dropped on the victim machine, the main installer of this Trojan comes as a self-extracting RAR file and may use the following icons:

More recent variant of this Trojan creates these files in the following directories:

• %Userprofile%SxSNvSmart.exe – a benign file with a valid digital signature from a well-known vendor (e.g. Symantec, Microsoft, McAfee, Samsung and in this case, Nvidia)
• %Userprofile%SxSNvSmartMax.dll – malicious dll [Detected as GAV: PlugX.DLL (Trojan) ]
• %Userprofile%SxSxxx.xxx – a configuration file

NvSmart.exe imports functions from NvSmartMax.dll. In a typical installation, it would load the legitimate Nvidia library but since a malicious DLL with the same name is present in the same directory, that malicious library will be used instead.

Upon execution, this Trojan spawns and injects its code into svchost.exe, possibly to evade detection.

During our analysis, we have seen this Trojan take desktop screenshots every 10 seconds and saved them in a directory.

It also logged all active windows in a text file.

Apart from what was observed, this Trojan has been reported to have the following capabilities:

• Communicate to several C&C servers
• Collect history information of visited URLs from different browsers
• Remote access/Backdoor functionalities: download, execute, create, delete and enumerate processes; administrative control over a target system
• Log keystrokes

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: PlugX.BK (Trojan)
• GAV: PlugX.BK_2 (Trojan)
• GAV: PlugX.DLL (Trojan)
• GAV: PlugX.KOR (Trojan)

Dell Sonicwall Threat research team has spotted Microsoft Word Zero Day attacks in the wild.
Last week, Microsoft released a Security Advisory that addresses this vulnerability.

Following is the Technical Analysis of this attack.

The attack comes down as a malicious RTF file.

Minimum crash file showed following crash

We can see how ROP chain is constructed using MSCOMCTL.

VirtualAlloc is used to create an executable page

Now it returns back to ROP Chain.

More ROP Gadgets, navigate control to Shellcode

Shellcode takes control from here on.

On successful execution, we can see how svchost is spawned by word.

Following is our Detection Coverage.

• GAV: CVE-2014-1761 (Exploit)