# A “GULP” of PlugX – Cyber&Ramen

**cyberandramen.net/2022/01/06/a-gulp-of-plugx/**

January 6, 2022

Often attributed to Chinese-speaking threat actors, PlugX a remote access trojan(RAT), was
identified by security researchers in 2012. With several variants of the RAT identified by
vendors over the year, many techniques used to compromise systems have remained the
same.

While perusing public malware sandboxes for interesting new samples, I stumbled upon a
Windows executable that at the time, had a VirusTotal score of 9 out of 68 anti-virus vendors.

As this sample was found via a sandbox, the delivery method is unknown, and will not be
covered in this post.

## Dropper


-----

Figure 1
SHA256: d88731851cc739ee72daf53700b0008db59ebb467e2394f9b3fc2162cd3a062f

This sample was identified by VT user PerMorten as a dropper for the reflective loading of
PlugX. Looking a little closer at the supposed dropper file, three additional files within the PE
are identified:

WinHelp32.exe
rscom.dll
rscom.dll.dat

Figure 2


-----

WinHelp32.exe is a legitimate software application that will be described further below. For
PlugX aficionados, the above trio of documents likely looks familiar. A well-known technique
of PlugX is to utilize a dropper or self-extracting RAR PE file to extract files on the victim
system for execution.

## The Legitimate App

Figure 3

SHA256: ec200f75e4884933a56e82531f3f52e64e73a3347ad4a3b9e6318df82cdca92a

Winhelp32.exe is a legitimate application from the Beijing Rising IT company, a Chinese
software company that develops Rising Antivirus among other computer security software.

As the network infrastructure utilized with this malware was only recently registered as of
November 2021, the reasoning for using an outdated application is unknown. The threat
actor, in this case, may have purposefully utilized a Rising Antivirus executable in the
targeting of the intended victim or picked a random executable for their malware.

## Rscom.dll.dat

The rscom.dll file does not contain much to write about other than its main purpose is to load
the .dat file, which is the compressed/encoded PlugX payload.


-----

As the payload is what everyone is here for, let s dive a bit deeper into the data file.

The well-known magic “GULP” is visible in the .dat file through a hex editor. Additionally,
within the file, MZ and PE headers are also visible.

Figure 4
The .dat file is likely padded/compressed to evade antivirus engines. Upon execution, the file
is decompressed via a call to the Windows API, RtlDecompressBuffer, and run in memory.

Figure 5
Identified in a number of reports on network intrusions involving PlugX, a familiar decryption
routine (Figure 6) is also seen in rscom.dll.dat. The decryption routine contains multiple keys
and shift operations, identified by the shr and shl calls below.


-----

Figure 6

## Malware Flow

The unnamed dropper places the three files into “C:\\ProgramData\Log’” in addition to a file
named NvSmart.hlp (Figure 7). Upon running WinHelp32, the application deletes itself which
is another interesting choice by the threat actor, as this would likely raise suspicions by the
victim running the antivirus software.


-----

Figure 7
Watching the execution flow in your favorite Windows process monitoring software, oldschool PlugX is in full effect. WinHelp32.exe injects itself into svchost.exe, with the usual
second injected process, msiexec.exe not being seen in this case.

In most cases, if services.exe is not the process launching svchost.exe, this would be an
easy win for defenders to detect. It is likely the threat actor is relying on the behavior of
antivirus software injecting itself into a process that would not raise alarms.

Taking a look at the injected process read, write, executable (RWX) properties, we once
again see that the MZ and PE headers have been replaced with GULP, or PLUG backward.

Figure 8
A number of hardcoded values including command and control (C2) information are located
within the decoded configuration:


-----

Figure 9
Upon further research, an additional network indicator is located that appears to be a proxy
for the C2.

Figure 10


-----

So far we know the following about the network capabilities of this malware sample:

A C2 domain of xiguamomomo[.]com
Utilizes HTTP
Communicates with a proxy server of 43.129.208[.]226

References to localhost, 127.0.0.1 can be seen in Figure 9, but the malware also seems to
utilize the address for debug or anti-analysis purposes. This technique could possibly be
utilized to slow researchers who may not be running the malware as needed for proper
execution (running only the DLL file for example).

Figure 11
In addition to the possible debug strings seen in Figure 11, some 28 .cpp files indicating
additional capabilities of the RAT were also found:

XJoin.cpp
XThreadManager.cpp
XSoUdp.cpp
XSoTcpHttp.cpp
XSoTcp.cpp
XSoPipe.cpp
XSniffer.cpp
XSetting.cpp
XSessionImpersonate.cpp
XPlugTelnet.cpp
XPlugSQL.cpp
XPlugShell.cpp
XPlugService.cpp
XPlugScreen.cpp
XPlugRegEdit.cpp
XPlugProcess.cpp
XPlugPortMap.cpp
XPlugOption.cpp
XPlugNetstat.cpp
XPlugNetHood.cpp
XPlugKeyLogger.cpp
XPlugDisk.cpp
XPlugLoader.cpp
XPacket.cpp
XOnline.cpp
XInstall.cpp
XDList.cpp


-----

XBuffer.cpp

The following interesting PDB paths were also found:

12

## Network Indicators

According to PassiveDNS information, the domain xiguamomomo[.]com resolves to
111.73.46[.]103, located in China, first seen 2021-10-12.


Figure


WHOIS information reveals the domain was registered through GoDaddy, with the registrant
country listed as Cambodia, and the registrant identified as “ewrwer.”

In what could certainly be a coincidence, both xigua, and momo are popular apps originating
from China. Xigua, an online video-sharing app with users across the world, boasts some
160 million users. Momo, currently only available in Chinese, is a social networking app with
a large following.

It should be noted that not only are the delivery method of the RAT unknown, but also the
targeting. The above should be taken as low confidence at best, but certainly interesting
nonetheless.

An additional IP address of 111.73.46[.]30 (open ports: 3389, 8000, 5985, 5987, and 24681)
was also identified through packet captures.

The ports 3389 (RDP), and 5985 are largely seen among many other suspected PlugX C2
infrastructure. This IP address belongs to the Chinanet-Backbone ASN.

The possible proxy address 43.129.208[.]226 (open ports: 22, 3306, and 8443) is located in
Hong Kong and belongs to the TENCENT-NET-AP-CN ASN.

Multiple User-Agent values were also found within the decoded configuration data as seen in
Figure 13.

Figure 13
**Featured image: Photo by Markus Spiske on Unsplash


-----

## Conclusion

As there is quite a bit of information missing with this variant of PlugX, the fresh command
and control infrastructure and domain naming indicate that even dated versions of this RAT
still get the job done.

Please keep an eye out for updates to this post as I look deeper into the network
infrastructure to possibly tie additional domains/malware to the above findings.

## Indicators

Files:

Dropper file:
d88731851cc739ee72daf53700b0008db59ebb467e2394f9b3fc2162cd3a062f
WinHelp32.exe (legitimate application):
ec200f75e4884933a56e82531f3f52e64e73a3347ad4a3b9e6318df82cdca92a
Rscom.dll (loader) :
7af30d3c192f3fb85e1cadbf5c01f049f11eb036ca8107abb3451ffa0cc218b7
Rscom.dll.dat (PlugX payload):
ec46e04df901d7ec76ff1ad9ad6ceb54f8c2ad5e3597173365e094c5602e0049

Network:

xiguamomomo[.]com >> 111.73.46[.]103
111.73.46[.]30
43.129.208[.]226 (proxy)
“/update?id=” (Callback URI in config)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/31.0.1650.16 Safari/537.36
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Mozilla/5.0 (Windows NT 6.2; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.5 (KHTML, like Gecko)
Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0;
ARM; Touch)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)


-----

Mozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like
Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3


-----