Dissecting PlugX to Extract Its Crown Jewels APT RAT Malware Backdoor Yara Rules IoCs LEVIATHAN

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.

Event ID1531
UUID5eeec9aa-9d88-4ece-9e6f-9d92884ae404 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagstype:OSINTx osint:lifetime=”perpetual”x osint:certainty=”50″x tlp:whitex osint:source-type=”technical-report”x   
Date2022-09-14
Threat LevelUndefined
AnalysisInitial
DistributionAll communities   
PublishedYes 2022-09-21 19:38:15
#Attributes82 (30 Objects)
First recorded change2022-09-15 14:01:57
Last change2022-09-19 09:49:23
Modification map
Sightings0 (0) – restricted to own organisation only.  

Related Events

abuse.chThreatFox IOCs for 2022-08-23
2022-08-231
CthulhuSPRL.beOSINT Revealing the Cyber-Kraken (Threat Group 3390 / Emissary Panda) by SecureWorks
2015-08-053
CthulhuSPRL.beOSINT I Know You Want Me – Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation
2015-01-264

Related Feeds (show)

Top of Form

Bottom of Form

Warning: Potential false positives (show)

Top 10K most-used sites from Tranco 

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

1531: Dissecting PlugX to Extract Its Crown Jewels

Galaxies

Microsoft Activity Group actor 

  •  GALLIUM   

Enterprise Attack – Intrusion Set 

  •  DragonOK – G0017   
  •  Winnti Group – G0044   

Intrusion Set 

  •  DragonOK – G0017   
  •  Winnti Group – G0044   
  •  Mustang Panda – G0129   

Threat Actor 

  •  Axiom   
  •  DragonOK   
  •  Earth Berberoka   
  •  GALLIUM   
  •  MUSTANG PANDA   

Enterprise Attack – Malware 

  •  PlugX – S0013   
  •  Winnti – S0141   

Malpedia 

  •  PlugX   

Malware 

  •  PlugX – S0013   

RAT 

  •  PlugX   

Tool 

  •  PlugX   

Attack Pattern 

  •  Spearphishing Link – T1192   
  •  Spearphishing Link – T1566.002   
  •  Match Legitimate Name or Location – T1036.005   
  •  Masquerading – T1036   
  •  Modify Registry – T1112   
  •  Obfuscated Files or Information – T1027   
  •  Registry Run Keys / Startup Folder – T1547.001   
  •  Registry Run Keys / Startup Folder – T1060   
  •  Remote System Discovery – T1018   
  •  Network Service Discovery – T1046   
  •  System Network Configuration Discovery – T1016   
  •  System Information Discovery – T1082   
  •  Windows Service – T1543.003   
  •  Remote Desktop Protocol – T1076   
  •  Remote Desktop Protocol – T1021.001   
  •  Remote Services – T1021   
  •  Boot or Logon Autostart Execution – T1547   
  •  Keylogging – T1056.001   
  •  Input Capture – T1056   
  •  Software Packing – T1045   
  •  Software Packing – T1027.002   
  •  Process Discovery – T1057   
  •  System Service Discovery – T1007   
  •  Disable or Modify Tools – T1562.001   
  •  Clipboard Data – T1115   
  •  Process Injection – T1055   
  •  DLL Side-Loading – T1073   
  •  DLL Side-Loading – T1574.002   
  •  Network Share Discovery – T1135   
  •  Query Registry – T1012   
  •  Screen Capture – T1113   
  •  Indicator Removal on Host – T1070   
  •  Phishing – T1566   
  •  Data Obfuscation – T1001   
  •  Protocol Impersonation – T1001.003   
  •  Data from Local System – T1005   
  •  Masquerade Task or Service – T1036.004   
  •  Exfiltration Over C2 Channel – T1041   
  •  System Network Connections Discovery – T1049   
  •  Process Hollowing – T1055.012   
  •  Command and Scripting Interpreter – T1059   
  •  Visual Basic – T1059.005   
  •  JavaScript – T1059.007   
  •  File Deletion – T1070.004   
  •  Bypass User Account Control – T1088   
  •  Proxy – T1090   
  •  External Proxy – T1090.002   
  •  Non-Application Layer Protocol – T1095   
  •  Ingress Tool Transfer – T1105   
  •  Automated Collection – T1119   
  •  Data Encoding – T1132   
  •  Standard Encoding – T1132.001   
  •  Deobfuscate/Decode Files or Information – T1140   
  •  User Execution – T1204   
  •  Malicious File – T1204.002   
  •  Create or Modify System Process – T1543   
  •  Abuse Elevation Control Mechanism – T1548   
  •  Inter-Process Communication – T1559   
  •  Component Object Model – T1559.001   
  •  Impair Defenses – T1562   
  •  Hide Artifacts – T1564   
  •  Hidden Files and Directories – T1564.001   
  •  System Services – T1569   
  •  Service Execution – T1569.002   
  •  Encrypted Channel – T1573   
  •  Symmetric Cryptography – T1573.001   
  •  Hijack Execution Flow – T1574   

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-09-19Payload deliveryfilename%WINDIR%\System32\sysprep\sysprep.exe      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-19Payload deliveryfilename%WINDIR%\System32\sysprep\cryptbase.dll      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x64_backdoor_plug_x_core { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Core DLL for 64 bits systems” sha256_reference = “af9cb318c4c28d7030f62a62f561ff612a9efb839c6934ead0eb496d49f73e03” strings: // Decryption routine $opcode1 = { 41 8b ?? 8b ?? 4? ff c? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 8b ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 03 ?? 43 8d ?? ?? 02 ?? 40 02 ?? 43 32 ?? ?? ?? 4? ff
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x64_backdoor_plug_x_core       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x86_backdoor_plug_x_core { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Core DLL for 32 bits systems” sha256_reference = “fde1a930c6b12d7b00b6e95d52ce1b6536646a903713b1d3d37dc1936da2df88” strings: // Decryption routine $opcode1 = { 8b ?? ?? 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 07 b? 33 33 33 33 2b ?? 8b ?? ?? 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8d ?? ?? 02 ?? 02 ?? ?? 89 ?? ?? 8b 5? ?? 32 ?? 32 4?
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x86_backdoor_plug_x_core       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x64_backdoor_plug_x_uac_bypass { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX UAC Bypass DLL for 64 bits systems” sha256_reference = “547b605673a2659fe2c8111c8f0c3005c532cab6b3ba638e2cdcd52fb62296d3” strings: // 360tray.exe stack strings $opcode1 = { 4? 83 e? 48 b? 33 00 00 00 4? 8d ?? ?? ?? c7 44 ?? ?? 2e 00 65 00 66 89 ?? ?? ?? b? 36 00 00 00 c7 44 ?? ?? 78 00 65 00 66 89 ?? ?? ?? b? 30 00 00 00 66 89 ?? ?? ?? b? 74 00 00 00 66 89 ?? ?? ?? b? 72 00 00
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x64_backdoor_plug_x_uac_bypass       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x86_backdoor_plug_x_uac_bypass { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX UAC Bypass DLL for 32 bits systems” sha256_reference = “9d51427f4f5b9f34050a502df3fbcea77f87d4e8f0cef29b05b543db03276e06” strings: // Main loop $opcode1 = { 0f b7 ?? ?? ?? ?? ?? ?? 4? 66 85 ?? 75 ?? 8d ?? ?? ?? ?? ?? ?? 66 83 3? 00 74 ?? 5? e8 ?? ?? ?? ?? 5? c3 } $str1 = “kernel32” nocase $str2 = “GetCommandLineW”
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x86_backdoor_plug_x_uac_bypass       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x64_backdoor_plug_x_shellcode { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Shellcode for 64 bits systems” sha256_reference = “07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d” strings: // Code of the decryption rutine $opcode1 = { 41 8b ?? 41 8b ?? c1 e? 03 c1 e? 07 45 8d ?? ?? ?? ?? ?? ?? 41 8b ?? c1 e? 05 45 8d ?? ?? ?? ?? ?? ?? b? 33 33 33 33 2b ?? 41 8b ?? 44 03 ?? c1 e? 09 b? 44 44 44 44 2b ?? 44 03 ?? 43 8d ?? ?? 41 02 ?? 41 02 ?
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x64_backdoor_plug_x_shellcode       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x86_backdoor_plug_x_shellcode { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Shellcode for 32 bits systems” sha256_reference = “07ed636049be7bc31fb404da9cf12cff6af01d920ec245b4e087049bd9b5488d” strings: // Code of the decryption rutine $opcode1 = { 8b ?? c1 e? 03 8d ?? ?? ?? ?? ?? ?? 8b ?? c1 e? 05 8d ?? ?? ?? ?? ?? ?? 8b ?? ?? c1 e? 07 b? 33 33 33 33 2b ?? 01 ?? ?? 8b ?? ?? c1 e? 09 b? 44 44 44 44 2b ?? 01 ?? ?? 8b ?? ?? 8d ?? ?? 02 ?? ?? 02 ?? ?? 32 ?
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x86_backdoor_plug_x_shellcode       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x64_backdoor_plug_x_shellcode_loader_dll { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Shellcode Loader DLL for 64 bits systems” sha256_reference = “6b8ae6f01ab31243a5176c9fd14c156e9d5c139d170115acb87e1bc65400d54f” strings: // Code to get file name of the current module and replaces the extension to .dat $opcode1 = { 4? 8d 1d ?? ?? ?? ?? 41 b8 00 20 00 00 33 c9 4? 8b d3 ff d0 4? 8b cb 89 44 ?? ?? ff 15 ?? ?? ?? ?? b9 64 00 00 00 8d 50 fd 33 f6 66 89 0c
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x64_backdoor_plug_x_shellcode_loader_dll       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: yara 

References: 
Inherit 
2022-09-16External analysisreference: linkhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Payload installationyara: yararule win_x86_backdoor_plug_x_shellcode_loader_dll { meta: author = “Felipe Duarte, Security Joes” description = “Detects the PlugX Shellcode Loader DLL for 32 bits systems” sha256_reference = “5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976” strings: // Code to set memory protections and launch shellcode $opcode1 = { 8d ?? ?? 5? 6a 20 68 00 00 10 00 5? ff 15 ?? ?? ?? ?? 85 ?? 75 ?? 6a 43 e8 ?? ?? ?? ?? 83 c? ?? ff d? 3d ?? ?? ?? ?? 7d ?? 85 ?? 74 ?? 6a 4a e8 ?? ?? ?? ?? 83 c? ??
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Otheryara-rule-name: textwin_x86_backdoor_plug_x_shellcode_loader_dll       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domain101.55.29.17       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port80    Inherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domainwww.92al.com       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port53    Inherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domainkr.942m.com       Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port53    Inherit   (0/0/0)     
2022-09-16Network activityport: port80    Inherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domainwmi.ns01.us     44   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port12345    Inherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domainmicrosafes.no-ip.org         Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port53    Inherit   (0/0/0)     
2022-09-16Network activityport: port443    Inherit   (0/0/0)     
2022-09-16Network activityport: port80    Inherit   (0/0/0)     
2022-09-16Object name: domain-ip 

References: 
Inherit 
2022-09-16Network activitydomain: domainservices.darkhero.org     44 102   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-16Network activityport: port443    Inherit   (0/0/0)