Mitigating BKDR_PLUGX using Trend Micro Products

Product / Version includes:

Interscan Web Security Virtual Appliance All , Deep Security All , Interscan Messaging Security Virtual Appliance All , ScanMail for Exchange All

Last updated: 2025/05/08

Solution ID: KA-0006001

Category: SPEC , Configure , Troubleshoot , Update

Summary

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

PLUGX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:

Copying, creating, modifying, and opening files
Logging keystrokes and active windows
Logging off the current user, restarting/rebooting the affected system
Creating, modifying and/or deleting registry values
Capturing video or screenshots of user activity
Setting connections
Terminating processes

Apart from compromising system security, PLUGX’s routines could lead to further information theft if systems are left unchecked. PLUGX also gives attackers complete control over the system.

For further information on BKDR_PLUGX variants that we have already detected, click here.

BKDR_PLUGX: INFECTION CHAIN and LAYERED SOLUTION

Click image to enlarge.

BKDR_PLUGX: Prescribed Solution

Pattern Versions and Release Dates

Pattern	Version	Release Date
Virus Pattern	OPR 11.861.00	Aug 17, 2015
Behavior Monitoring	BM Pattern OPR 1484	Oct 6, 2015
Network Pattern	Endpoint RR 1.10075.00	April 29, 2014
Damage Cleanup Template	Latest OPR	Pre-existing
Web Reputation		Sept 2, 2015

Make sure to always use the latest pattern available to detect the old and new variants of BKDR_PLUGX.

Solution Map - What should customers do?

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Network Pattern
OfficeScan	10.6 and above	Update Pattern via web console	Update Pattern via web console	Enable Web Reputation Service*	Update Pattern via Web console	Update Pattern via Web console
Deep Security	8.0 and above		N/A		Update Pattern via Web console	Update Pattern via Web console
ScanMail	SMEX 10 and later		N/A		N/A	N/A
ScanMail	SMD 5 and later		N/A		N/A	N/A
InterScan Messaging	IMSVA 8.0 and above		N/A		N/A	N/A
InterScan Web	IWSVA 6.0 and later		N/A		N/A	N/A
Deep Discovery	DDI 3.0 and later		N/A		N/A	Update Pattern via web console

Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .

Related blog entries:

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Mitigating BKDR_PLUGX using Trend Micro Products

Mitigating BKDR_PLUGX using Trend Micro Products

Product / Version includes:

Summary