Threat behavior
TrojanDropper:Win32/Korplug has been observed to employ PlugX—a remote access trojan (RAT) that has been active since 2008. It allows attackers to gain unauthorized remote control over compromised systems, enabling them to execute a wide range of malicious activities.
It is primarily used by various advanced persistent threat (APT) groups, including APT 22, APT 26, and APT41, among others. PlugX, also known as Destroy RAT, Kaba, Korplug, and several other aliases, allows attackers to gain unauthorized remote control over compromised systems, enabling them to execute a wide range of malicious activities.
One of PlugX’s main tricks is called DLL side-loading, meaning it disguises itself as a legitimate program and “piggybacks” on trusted software to run unnoticed. For example, attackers may pair PlugX with real debugging tools like x32dbg.exe. Because the malicious file runs inside a trusted program, security tools and users are less likely to suspect foul play.
Once inside, PlugX connects back to the attackers through command-and-control (C2) servers over standard internet channels like HTTP or HTTPS. To stay under the radar, it disguises this communication using ordinary-looking file names or user agent strings (which normally describe a browser or app). Through this connection, attackers can issue remote commands, such as gathering system details, taking screenshots, or controlling system processes, without the user’s knowledge.
Its adaptability and design make it a persistent threat, capable of evolving to bypass traditional security measures. In addition, its ability to maintain a low profile and log its activities makes detection and mitigation efforts more complicated.
PlugX is built to survive on a system for as long as possible:
- Persistence mechanisms: It alters Windows registry settings, creates scheduled tasks, and leaves behind activity logs to re-establish itself after reboots.
- Hidden storage: The malware can also hide files on USB drives, making them invisible to Windows users but accessible to attackers using specialized tools or non-Windows systems.
- Stealth techniques: These measures help PlugX remain active while avoiding detection, allowing attackers to quietly monitor and manipulate the compromised system over time.
Prevention
Guidance for Individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks.
Microsoft recommends the following mitigations to reduce the impact of activity.
