Korplug malware

Korplug Symantec ; Trojan. This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. This backdoor drops the following files: msi. Delete this registry value [ Learn More ] [ back ] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator.

Else, check this Microsoft article first before modifying your computer's registry. Search and delete these components [ Learn More ] [ back ] There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

Search and delete this folder [ Learn More ] [ back ] Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required.

What is Malware? Virus, Trojan, Worms - Explained in Detail

You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information. It deletes itself after execution. File Size: 66, bytes. Memory Resident: Yes. Initial Samples Received Date: 19 Jun Minimum Scan Engine: 9. Press F8 when you see the Starting Windows bar at the bottom of the screen.

Press F8 after Windows starts up. If the Windows Advanced Options menu does not appear, try restarting again and pressing F8 several times afterward. Step 3 Delete this registry value [ Learn More ]. Step 4 Search and delete these components [ Learn More ]. In the Named input box, type: msi. Repeat the said steps for all files listed.

In the Search input box, type: msi.After taking a look at recent Korplug PlugX detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan.

korplug malware

This blog gives an overview of the first one. Sometimes malware used in various attacks is unique enough to identify related incidents, which makes tracking individual botnets simpler. An example is the BlackEnergy Lite variant also known as BlackEnergy 3 used by a group of attackers that was then given the name Quedagh, or Sandworm against targets in Ukraine and other countries.

BlackEnergy Lite is clearly distinguishable from the numerous binaries of the more common BlackEnergy 2 also circulating in-the-wild. In other cases, attackers use more common tools for accomplishing their criminal goals. For example, the Korplug RAT a. PlugX is a well-known toolkit associated with Chinese APT groups and used in a large number of targeted attacks since For the past several weeks we have taken a closer look at a great number of detections of this malware in many unrelated incidents.

Other Korplug samples were connecting to a different domain name resolving to the same IPs as notebookhk. SCR extension is shown below:. In all of the cases, three binary files were dropped apart from decoy documents that led to the Korplug trojan being loading into memory. The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.

The image below shows the beginning of the CVE shellcode in ASCII encoding within the document the opcodes 60, 55, 8bec disassemble to pusha; push ebp; mov ebp, esp. Interestingly, though, the documents also contain the newer CVE exploit that was extensively used in targeted attacks carried out by a number other malware families this year including BlackEnergySednitMiniDukeand others. However, this exploit is not implemented correctly due to a wrong file offset in the 1 st stage shellcode.

ESET LiveGrid telemetry indicates that the attacks against these targets have been going on since at least June and continue through today. From the topics of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects. Interestingly, most of the affected victims have another thing in common — a number of other RATs, file stealing trojans or keyloggers were detected on their systems on top of the Korplug RAT detection.

Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish.

Additional information about two malware families that were most often found accompanying Korplug infections is given below. A curious Remote Access Trojan, as research points to a Chinese connection but the commands it listens to are in Spanish translation in English :.

It is written in Delphi and connects to www. In addition to collecting files, the malware attempts to gather saved passwords, history of visited URLs, account information and proxy information from the following applications:. Robert Lipovsky 12 Nov - PM. Similar Articles. Dark Comet Rat.However, this piqued my curiosity. I decided to look into where these old samples were used and whether there was any specific targeting.

In terms of malware detection, it is always interesting to see old code repurposed or reused in new attacks and campaigns, as seen in the resurgence of Shamoon Malware in The PlugX malware family is well known to researchers, with samples dating back to as early asaccording to researchers at Trend Micro.

Changes to the command and control C2 options contributed to this resurgence because the malware authors implemented new DNS C2 methodology that made traffic harder to detect. Until the end ofthe typical PlugX infection methodology was the same: The malware payload was typically delivered via a phishing campaigneither as an attached self-extracting RAR SFX archive, link to an archive, or embedded in a weaponized document.

korplug malware

This archive contains three files that make up the PlugX components. An example of these three components is as follows extracted from the RAR archive with SHA hash 1cd17fc80bff1b87ffcfd2ada0bcdcd0 :. Figure 1: PlugX Component Files. Although the above sample used an NVIDIA application, many PlugX samples of this variant leveraged applications associated with antivirus or various other security products. Because these executables are signed, legitimate applications, endpoint security products are less likely to flag them.

Furthermore, usage of antivirus-related applications can potentially take advantage of product whitelisting on the endpoint. There have been many extensive analyses of the aforementioned PlugX variants over the years, as is evident by the lengthy — and yet still incomplete — references in the Appendix of this post, so I will not repeat a full analysis here.

Below is a depiction of the execution methodology for the classic variant of PlugX — most variants roughly follow this pattern, but there are some deviations. Execution flow in general proceeds as follows:. Figure 3: PlugX Execution Chain.


Inmultiple updates to the core PlugX malware functionality occurred, including the addition of new C2 protocols, encryption, and installation methodologies.

Researchers with Airbus analyzed several samples that appeared to be from mid-to-late The main updates in this variant included a new, custom encryption algorithm used for configuration data, network communications, and strings within the binaries.

Later versions of this variant added DNS C2 as a module. Inresearchers at Lastline also detected variants that included an update to the PlugX malware deployment and installation methodologies. Although the dropped files and chain of execution matched that of the classic PlugX variants three components: legitimate executable, loader DLL, and encrypted payloadthese samples featured User Account Control UAC evasion functionality and an alternative process creation mechanism using Component Object Model COM objects.

Researchers at Sophos first discovered a new strain of memory-resident PlugX at the end of The malware was discovered in a campaign exploiting a vulnerability in the popular Japanese word processing software, Ichitaro.Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.

Recently, Microsoft issued an Emergency patch for a zero-day vulnerability in Internet Explorer that is being exploited to deploy Korplug malware on vulnerable PCs. Korpluga known variant of PlugXis a Trojan that creates a backdoor used for information stealing on infected computers. In one of the most publicized cases, an evangelical church in Hong Kong was compromised to deliver the malware.

Attackers were able to breach the church's website and inject a malicious iFrame overlay designed to look like the site itself. The iFrame was then used to redirect visitors to a site hosting the IE exploit. Once users land on the website, they are served a java.

To defend against Korplug, system administrators, and security engineers should educate users of corporate assets about these types of hacking techniques.

In many cases, organizations are breached because of the lack of internal education around how to identify threats. All too often breaches are successful when users execute malicious email attachments, download files from suspicious websites, or install cracked software.

However, even with the right kind of education, users will still sometimes inadvertently compromise company assets. This usually occurs when a user accidentally exposes the network to a piece of malware posing as a legitimate spreadsheet, word doc in an email, or in the case of the evangelical church described above, an iFrame designed to look like a page in a website.


Acting like a backdoor, malware like Korplug can be used by an attacker to have complete control over a user's computer. This allows the attacker to create privilege escalation, exfiltrate data on the user's machine, or act as a pivot point to access more sensitive systems. Have something to say about this article? Latest Stories. Other Stories. Proven methods to build security awareness in developers. Watch the webinar.

All Intel processors released in the past 5 years contain an unpatchable vulnerability. Cybersecurity Newsletter — Stay Informed.PlugXreportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for such attacks. The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since at least February This campaign was also part of a large, concerted attack as documented earlier this year.

True to its origins, we have observed that PlugX was distributed mainly to government-related organizations and a specific corporation in Japan. Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear phishing emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office.

Note that for the older variants, we used the earliest date estimate of their appearance. In the above diagram, we can see that though the campaign now uses the new PlugX RAT, they are still distributing this parallel to older, more stable Poison Ivy variants.

While custom-made RATs developed for targeted attacks are not new, we can see that the people behind PlugX are already distributing the RAT despite being it being in beta.

Being malicious actors that have been around sincethey may be onto something. For example, files being accessed could become accidentally corrupted, causing significant amounts of data to be lost. Trend Micro users are protected by the Smart Protection Network.

Posted on: September 10, at am. Posted in: Malware. Tags: APT poison ivy targeted attacks. Security Predictions for Business Process Compromise. Stay Updated Email Subscription. All rights reserved.The other one, targeting a number of high-profile organizations in Russia, will be presented at The ZeroNights security conference in Moscow on Friday, November 14th by Anton Cherepanov.

Apart from the targets treated in the presentation of Anton Cherepanov, the trojan analyzed in blog post on WeLiveSecurity. The attacks against the mentioned targets have been ongoing since at least June and continue through to today. In these campaigns Korplug RAT utilize two ways of spreading — as a self-extracting archive or as Microsoft Word document, exploiting the vulnerability known as CVE This keeps the malware under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.

In addition to Korplug, most of the victims were also infected by a selection of other trojans. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires.

November 12, D — Steps To Delete Korplug. Get Rid of Korplug. DHow to Remove Korplug. DHow to Uninstall Korplug.

korplug malware

DUninstall Korplug. D from Chrome. D is identified as the destructive malware infection that performs vicious tasks one after another after getting in and it falls into the category of trojan. This infection contains harmful codes just to ruin the targeted PC and take total control over it. This trojan infection is well capable in replicating themselves and copies its malicious files to all parts of the system folder.

It is the main culprit behind copying or deleting system data, blocking the system files, restricting user from visiting various social sites. The most harassing fact related with this trojan infection is that, it creates a backdoor and provides the control to the remote hacker which can be quite nasty.

It also irritates user by generating fake alerts, error notifications, threatening messages and much more. D is mainly designed for stealing purpose as it hook deep into the targeted PC and gather the confidential data for its developers.

korplug malware

The worst things that user may experience due to the presence of this trojan infections is that most of the installed program starts acting weirdly and PC gets sluggish.

It completely manipulates the system settings as with registry entries. It also disables the functioning of installed security tool without human interference. No doubt its a peculiar infection that can make your PC completely inaccessible in a fraction of time, though it will be beneficial for the user to delete this trojan infection completely from the PC. This can exploit your installed programs, data and important files be taking advantages of vulnerabilities of applications programs running on your PC.

With this it can make it capable to start up itself automatically on each system boot up. This is so malevolent that Korplug. D removal is being quite difficult for any end user to do on its own.

Apart from this, Korplug. D can also capable to open backdoor to your compromised PC and provide unauthorized access to hackers. Due to this experts also suggests to remove Korplug.

Take a Deep Dive into PlugX Malware

D from your infected system as soon as possible. Once you go for the manual uninstallation process for Korplug. D, its necessary for the user to read this it before —. To perform manual uninstallation for the listed threat, user must have to technically skilled. Its necessary for the user to match their technical skill with the PC experts. User must have the best knowledge about Registry and just a slight mistake may cause severe loss.

User must have to be capable to reverse the wrong operation while uninstalling the threat from infected PC. D and other associated malware. STEP 2. Get Rid Of Korplug. D and other associated malware from Task Manager.