Summary
PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.
PLUGX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:
- Copying, creating, modifying, and opening files
- Logging keystrokes and active windows
- Logging off the current user, restarting/rebooting the affected system
- Creating, modifying and/or deleting registry values
- Capturing video or screenshots of user activity
- Setting connections
- Terminating processes
Apart from compromising system security, PLUGX’s routines could lead to further information theft if systems are left unchecked. PLUGX also gives attackers complete control over the system.
For further information on BKDR_PLUGX variants that we have already detected, click here.
BKDR_PLUGX: INFECTION CHAIN and LAYERED SOLUTION
Click image to enlarge.
Pattern Versions and Release Dates
| Pattern | Version | Release Date |
|---|
| Virus Pattern | OPR 11.861.00 | Aug 17, 2015 |
| Behavior Monitoring | BM Pattern OPR 1484 | Oct 6, 2015 |
| Network Pattern | Endpoint RR 1.10075.00 | April 29, 2014 |
| Damage Cleanup Template | Latest OPR | Pre-existing |
| Web Reputation | | Sept 2, 2015 |
Make sure to always use the latest pattern available to detect the old and new variants of BKDR_PLUGX.
Solution Map - What should customers do?
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Network Pattern |
|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Update Pattern via Web console |
|---|
| Deep Security | 8.0 and above | N/A | Update Pattern via Web console | Update Pattern via Web console |
|---|
| ScanMail | SMEX 10 and later | N/A | N/A | N/A |
|---|
| SMD 5 and later | N/A | N/A | N/A |
|---|
| InterScan Messaging | IMSVA 8.0 and above | N/A | N/A | N/A |
|---|
| InterScan Web | IWSVA 6.0 and later | N/A | N/A | N/A |
|---|
| Deep Discovery | DDI 3.0 and later | N/A | N/A | Update Pattern via web console |
|---|
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.
Recommendations
For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .
Related blog entries:
