Backdoor:Win32/Plugx.X has been observed to employ PlugX—a remote access trojan (RAT) that has been active since 2008. It allows attackers to gain unauthorized remote control over compromised systems, enabling them to execute a wide range of malicious activities.
It is primarily used by various advanced persistent threat (APT) groups, including APT 22, APT 26, and APT41, among others. PlugX, also known as Destroy RAT, Kaba, Korplug, and several other aliases, allows attackers to gain unauthorized remote control over compromised systems, enabling them to execute a wide range of malicious activities.
As a backdoor, it provides attackers with extensive capabilities, such as retrieving system information, capturing screenshots, keylogging, and managing system processes and services. Its adaptability and design make it a persistent threat, capable of evolving to bypass traditional security measures.
In addition, its ability to maintain a low profile and log its activities makes detection and mitigation efforts more complicated.
One of PlugX’s main tricks is called DLL side-loading, meaning it disguises itself as a legitimate program and “piggybacks” on trusted software to run unnoticed. For example, attackers may pair PlugX with real debugging tools like x32dbg.exe. Because the malicious file runs inside a trusted program, security tools and users are less likely to suspect foul play.
Once inside, PlugX connects back to the attackers through command-and-control (C2) servers over standard internet channels like HTTP or HTTPS. To stay under the radar, it disguises this communication using ordinary-looking file names or user agent strings (which normally describe a browser or app). Through this connection, attackers can issue remote commands, such as gathering system details, taking screenshots, or controlling system processes, without the user’s knowledge.
PlugX is built to survive on a system for as long as possible:
- Persistence mechanisms: It alters Windows registry settings, creates scheduled tasks, and leaves behind activity logs to re-establish itself after reboots.
- Hidden storage: The malware can also hide files on USB drives, making them invisible to Windows users but accessible to attackers using specialized tools or non-Windows systems.
- Stealth techniques: These measures help PlugX remain active while avoiding detection, allowing attackers to quietly monitor and manipulate the compromised system over time.
Backdoor:Win32/Plugx.X creates the following files:
- C:\Program Files (x86)\Google Chrome Helper\chromehelper.exe
- C:\Program Files (x86)\Google Chrome Helper
- C:\ProgramData\Microsoft\Windows Security Health\Logs
The malware also sets the following registries:
- {'key': 'HKEY_LOCAL_MACHINE\\SYSTEM\\Software\\Microsoft\\TIP\\AggregateResults\\data', 'value': 'D9 A7 A8 01 01 00 03 00 EC 03 F4 6F 00 00 00 00 3E 00 00 00 00 00 00 00 49 A8 A8 01 01 01 03 00 5C 4'}
Backdoor:Win32/Plugx.X also creates the following processes:
- "C:\Users\<USER>\Desktop\chromehelper.exe"
- %SAMPLEPATH%\chromehelper.exe
- "C:\Users\user\Desktop\chromehelper.exe"
- "C:\Program Files (x86)\Google Chrome Helper\chromehelper.exe"
- C:\Windows\System32\SecurityHealthService.exe
The malware also communicates to the following hosts:
- 184[.]27[.]218[.]92[:]80 [suspicious]
