Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating BKDR_PLUGX using Trend Micro Products

    • Updated:
    • 30 Dec 2019
    • Product/Version:
    • Deep Security
    • Interscan Messaging Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • OfficeScan
    • ScanMail for Exchange
    • Platform:
    • N/A N/A

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

PLUGX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. These malicious routines include:

  • Copying, creating, modifying, and opening files
  • Logging keystrokes and active windows
  • Logging off the current user, restarting/rebooting the affected system
  • Creating, modifying and/or deleting registry values
  • Capturing video or screenshots of user activity
  • Setting connections
  • Terminating processes

Apart from compromising system security, PLUGX’s routines could lead to further information theft if systems are left unchecked. PLUGX also gives attackers complete control over the system.

For further information on BKDR_PLUGX variants that we have already detected, click here.



Click image to enlarge.

BKDR_PLUGX: Prescribed Solution

Pattern Versions and Release Dates

PatternVersionRelease Date
Virus PatternOPR 11.861.00Aug 17, 2015
Behavior MonitoringBM Pattern OPR 1484Oct 6, 2015
Network PatternEndpoint RR 1.10075.00April 29, 2014
Damage Cleanup TemplateLatest OPRPre-existing
Web Reputation Sept 2, 2015
Make sure to always use the latest pattern available to detect the old and new variants of BKDR_PLUGX.

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternNetwork Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleEnable Web Reputation Service*Update Pattern via Web consoleUpdate Pattern via Web console
Deep Security8.0 and aboveN/AUpdate Pattern via Web consoleUpdate Pattern via Web console
ScanMailSMEX 10 and laterN/AN/AN/A
SMD 5 and laterN/AN/AN/A
InterScan MessagingIMSVA 8.0 and aboveN/AN/AN/A
InterScan WebIWSVA 6.0 and laterN/AN/AN/A
Deep DiscoveryDDI 3.0 and laterN/AN/AUpdate Pattern via web console
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.


For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .

Related blog entries:

Configure; Troubleshoot; Update; SPEC
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.