Full Report
After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one
Analysis Summary
# Threat Actor: Unspecified APT Group (Associated with Korplug/PlugX usage)
## Attribution & Identity
The primary focus of this analysis is on campaigns utilizing the Korplug (PlugX) Remote Access Trojan (RAT). The malware itself is generally associated with **Chinese APT groups**.
The article also briefly mentions a separate group associated with BlackEnergy Lite (BE3), which was later named **Quedagh** or **Sandworm**.
## Activity Summary
The immediate analysis focuses on two large-scale campaigns employing Korplug/PlugX:
1. A campaign targeting entities in **Afghanistan and Tajikistan**.
2. A separate, high-profile campaign targeting organizations in **Russia**.
The attacks were delivered via spear-phishing documents (RTF files) and cunningly-named archives (RAR self-extracting archives with `.SCR` extension) containing malicious payloads.
## Tactics, Techniques & Procedures
- **Initial Access:** Successful infections were achieved through exploit-laden spear-phishing documents using RTF files that exploit **CVE-2012-0158** in Microsoft Word.
- **Payload Delivery/Execution:** Three binary files were dropped, including a digitally signed legitimate executable, a small DLL loader, and the raw Korplug binary.
- **Evasion:** The actor uses **DLL side-loading** by abusing a legitimate, digitally signed executable to load components into memory, intending to bypass startup item monitoring checks.
- **Data Exfiltration:** Korplug is configured to recursively sweep all logical fixed and remote drives, continually monitoring attached removable media or network shares (listening for `DBT_DEVICEARRIVAL` events).
- **Information Theft:** The malware attempts to gather saved passwords, history of visited URLs, account information, and proxy information from Microsoft Messenger, Microsoft Outlook, Microsoft Internet Explorer, and Mozilla Firefox.
## Targeting
- **Sectors:** Government/Military/Diplomacy (Inferred from document names like "Situation Report about Afghan," "AGREEMENT BETWEEN THE NATO AND AFGHANISTAN," and "Telephone directory of the Ministry of Foreign Affairs of the Kyrgyz Republic").
- **Geography:** Identified campaigns target entities in **Afghanistan** and **Tajikistan** (Campaign 1), and **Russia** (Campaign 2).
- **Victims:** High-profile organizations in Russia; entities related to NATO, the Afghan military/government, and the Kyrgyz Republic Ministry of Foreign Affairs (inferred from filenames).
## Tools & Infrastructure
- **Malware Families Used:**
- **Korplug RAT** (also known as PlugX).
- Mention of **BlackEnergy Lite variant** (BE3) associated with the Quedagh/Sandworm group in a separate context.
- **Infrastructure (C2 Domains):**
- `www.notebookhk[.]net`
- `www.dicemention[.]com` (Resolves to the same IPs as notebookhk[.]net)
- `www.abudlrasul[.]com`
- `newvinta[.]com`
- `worksware[.]net`
- **Other Indicators:** Some file stealer samples contained a signature by **"Nanning weiwu Technology co.,ltd."**
## Implications
The consistent use of the Korplug RAT, coupled with the exploitation of an older but still effective vulnerability (CVE-2012-0158), suggests an actor capable of sustained, targeted espionage operations with access to ready-made, potent malware frameworks. The presence of decoy documents and file exfiltration capabilities indicates an intelligence gathering objective against specific political or defense-related targets in Central Asia and Russia.
## Mitigations
- Patch systems immediately to remediate **CVE-2012-0158** in Microsoft Office products.
- Implement robust email filtering and endpoint detection capabilities to scan for known Korplug/PlugX SHA1 hashes.
- Monitor network traffic for connections to known C2 domains or IPs associated with the actor infrastructure listed above.
- Employ application whitelisting or control of DLL loading to prevent abuse of legitimate executables for sideloading.
- Implement defenses to detect collection or exfiltration of data from high-value browser/email stores (Outlook, Firefox, IE).