Recent reports (see Trend Micro, Alien Vault) describe the capabilities of the PlugX Remote Access Trojan (RAT) and its use in targeted attacks. As part of Citizen Lab’s ongoing study of targeted cyber threats against human rights organizations we have documented a series of attacks against some of these organizations using the PlugX RAT. The attacks targeted three groups taking part in the study, all of which work on China-related rights issues. Two of those groups focus primarily on Tibetan rights.

We previously reported on attacks targeting the Tibetan community that used the PlugX RAT in June 2012. In May, Symantec reported on targeted attacks with Tibetan themes that used the same dropped executable code.

The first email containing the PlugX RAT was received in early May 2012. Twenty samples have been seen to date. The majority of these emails attached documents containing trojans directly to the email. In one instance, however, a malicious link was present in the email instead of an attached document; if a user followed the link malware would be downloaded and executed on the user’s computer.

The core ‘trinity’ of the PlugX RAT revolves around 3 files: NvDev.exe/NvSmart.exe (the same file with different names), NvSmartMax.dll, and BOOT.LDR.

NvDev.exe/NvSmart.exe have valid digital signatures because they are legitimate programs. Upon execution they load and call code from a companion file. In this case the file is NvSmartMax.dll, a fake dynamic link library (DLL) that contains malicious code and works in tandem with BOOT.LDR, which is the payload. This payload can perform such actions as logging keystrokes and performing screen captures.

These files employ a technique called “DLL Hijacking,” so named because it bypasses system warnings that a program is not digitally signed. Such a warning would serve to inform the user that something is not right upon execution of the file.

Citizen Lab analyzed four versions of BOOT.LDR and the embedded files they contain for dates of compilation:

BOOT.LDR (195192a31dbc0d07b328038c60cb0602)

8 emails, 4 unique1, to all three groups
First time seen: 31-May-2012
Date of Compilation (PE Header): 29-May-2012

BOOT.LDR (76156038323e4348a197a24c77da9cf0)

4 emails, 1 unique, to the Tibetan rights groups
First time seen: 31-May-2012
Date of Compilation (PE Header): 30-May-2012 10:45

BOOT.LDR (b094f1e5dbfff0536da2592b869fdd92)

4 emails, 1 unique, to the Tibetan rights groups
First time seen: 25-May-2012
Date of Compilation (PE Header): 06-May-2012 07:40:36

BOOT.LDR (84ecffcfb7bc75cf14f39ed34438c89d)

4 Emails, 2 unique, to the Tibetan rights groups
First time seen: 11-May-2012
Date of Compilation (PE Header): 09-May-2012 03:24:19

The last three BOOT.LDR files (identified by hashes 76156038323e4348a197a24c77da9cf0, b094f1e5dbfff0536da2592b869fdd92 and 84ecffcfb7bc75cf14f39ed34438c89d) contact the same command and control servers.

The emails analyzed incorporate a variety of social engineering methods to induce the recipient into activating the malware. In particular, the themes used in the email messages are designed to generate interest on the part of their recipients, and indicate that the actor(s) behind the attacks are well informed about recent events, developments, and people in the communities being targeted. For example, emails sent to the two Tibetan rights groups referenced the birthday of His Holiness the Dalai Lama on July 6, an upcoming visit of the Dalai Lama to Europe, and sittings of the European Parliament in June, where Tibet was a topic of discussion.

A malicious email sent to the third group referenced the upcoming Communist Party of China (CPC) leadership transition and 18th Party Congress, as well as contacts known to the organization. (Notably, this last email was in the English language, but appeared to have been generated by non-native speakers and/or translation software, as it included a literal but non-sensical English translation of the abbreviated Chinese characters for 18th Party Congress.) These techniques suggest some preliminary intelligence-gathering by the attackers.

The samples analyzed by Citizen Lab also suggest that this malware may have been created by individuals not overly concerned with secrecy or code hygiene. For example, comments present in the code indicate that the demo version of a software package was used in the development of the code. Other information, such as the presence of debug strings, implies that the code is still under development.

Other aspects – such as function design and naming – indicate that the software is modular and has numerous capabilities that are unlikely to be used on the full range of infected machines (such as SQL manipulation). Thus this payload appears to be designed for deployment against a wide variety of targets when coupled with specifically crafted delivery mechanisms.

Further analysis of the emails and embedded links indicates that the attackers are using multiple techniques in an attempt to deliver their payloads. Three different delivery mechanisms have been found originating from the same email address, varying over time and employed in concert with dynamic DNS providers and inexpensive web hosting services. Evidence exists that the attacks on the two Tibetan rights groups are linked, as the malicious files employed attempt to contact the same command and control server. However, it is currently unclear if the attack on the third group was carried out by the same attacker(s). The Citizen Lab is continuing to track these attacks and campaigns.



Footnote:

1i.e. original text in an email body. In this case each of the four unique email bodies was incorporated in two separate emails.