New PlugX campaigns utilising Steam

The PlugX Remote Access Trojan (RAT), active since 2008 and primarily attributed to Chinese state-sponsored threat actors, continues to evolve. Initially delivered through phishing emails and deceptive files, a new variant has emerged since February 2023. This variant propagates via infected USB drives, marking a significant shift in its deployment strategy. Notably, recent campaigns have expanded the target base from governmental entities to civilian users, leveraging platforms such as Steam, thus broadening its impact and potential victim pool. The strategic targeting of civilians can be linked to the increased likelihood that many civilians, especially those working in critical sectors, have access to data of interest to Chinese state-sponsored actors. Given the sophistication of these threats, partnering with a Managed Detection and Response (MDR) service like Ontinue is crucial for proactive threat management and robust defense.

Historical Context and Evolution

PlugX has been extensively used by China-based cyber-espionage groups and, more recently, by the BlackBasta ransomware group, believed to be from Russia or Eastern Europe. This cross-regional utilization underscores PlugX’s versatility and appeal among diverse threat actors. High-profile victims have included the Japanese, Vietnamese, Indian, and Philippine governments, as well as US defense contractors, with operations primarily aimed at exfiltrating sensitive information for strategic advantages.

Advanced Delivery Mechanisms

Historically, PlugX utilized phishing emails and malicious files for delivery. The new USB worm variant represents a sophisticated evolution in its delivery mechanisms. This variant initiates its payload upon the insertion of an infected USB drive, marking a shift towards exploiting removable media to propagate malware.

Technical Analysis of the Steam Variant

Initial Execution and Persistence

Like most PlugX variants, DLL side loading is the core tactic here. Upon USB insertion, an executable named “.exe” signed by Beijing Hongdao Changxing International Trade Co., Ltd. is launched. This execution triggers the creation of steam_monitor.exe (signed by Valve) along with several other DLL files and executables. Most of these files serve as obfuscation layers, with only a few performing the core malicious tasks.

Registry Modification

The “.exe” file establishes a registry key named “Steam Monitor” at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This registry entry ensures the automatic execution of a file called crashhandler.dll upon user login, maintaining persistence across system reboots.  This DLL file will then launch IDMan.exe to begin the C2 connection.

Command-and-Control (C2) Communication

IDMan.exe activates IDMGetAll.dll, which establishes a C2 connection with the IP address 103[.]164[.]203[.]164 via port 443. This Malaysian IP address, known to be associated with PlugX, was flagged for malicious activity approximately eleven months ago. This C2 connection can be used for both command and control and data exfiltration.

Credential Harvesting and Data Exfiltration

steam_monitor.exe leverages werfault.exe, a native Windows error reporting process, to dump stored browser credentials. This technique exemplifies the sophisticated methods used to blend malicious activities with legitimate system processes, thereby evading detection.

Civilian Targeting Rationale

Many civilians, particularly those employed in critical infrastructure sectors, technology companies, and defense contracting, have access to sensitive data of strategic interest to Chinese threat actors. By expanding its reach to civilian users through platforms like Steam, PlugX enhances its potential to infiltrate environments where valuable information is accessible. This approach not only broadens the scope of potential victims but also increases the likelihood of obtaining high-value intelligence.

Comparative Analysis with Mandiant Findings

PlugX’s exploitation techniques, particularly DLL side-loading and leveraging non-native processes, are consistent with patterns observed in other sophisticated malware as detailed in various Mandiant reports. For instance, similar DLL side-loading methods have been documented in campaigns involving other state-sponsored threats, highlighting a common tactic among advanced persistent threats (APTs).

Recommendations for Enhanced Security

The complexity and stealth of the PlugX Steam variant highlight the need for robust security measures. Here are some key recommendations:

1. Implement Advanced Endpoint Detection and Response (EDR) Solutions:
   1. Employ EDR tools capable of identifying and mitigating threats through behavioral analysis and anomaly detection.
2. Conduct Regular Security Audits and Penetration Testing:
   1. Perform comprehensive security assessments to identify vulnerabilities and ensure robust defense mechanisms.
3. Enhance User Awareness and Training:
   1. Provide regular training sessions to educate users about phishing attacks and safe USB practices.
4. Adopt a Managed Detection and Response (MDR) Service:
   1. Partner with an MDR service like Ontinue to gain access to continuous monitoring, advanced threat intelligence, and rapid incident response capabilities.

The Role of Ontinue in Mitigating PlugX Threats

Ontinue offers a comprehensive MDR service designed to address the sophisticated threats posed by malware like PlugX. Key benefits include:

• 24/7 Threat Monitoring:
  • Continuous surveillance of your IT environment to detect and respond to threats in real-time.
• Advanced Threat Intelligence:
  • Leverage cutting-edge threat intelligence to stay ahead of emerging threats and vulnerabilities.
• Rapid Incident Response:
  • Swift and effective incident response to contain and mitigate the impact of security breaches.
• Proactive Threat Hunting:
  • Conduct proactive threat hunting to identify and neutralize potential threats before they can cause harm.

Conclusion

This PlugX Steam variant represents a significant development in the malware’s evolution, demonstrating an advanced capability to target both governmental and civilian entities. By exploiting popular platforms like Steam, PlugX not only increases its potential victim base but also enhances its operational stealth and persistence. To effectively combat such sophisticated threats, it is imperative to adopt advanced security measures and consider partnering with a reliable MDR service like Ontinue. By doing so, organizations can ensure a robust defense against evolving cyber threats and maintain the integrity of their critical assets.