Fresh PlugX October 2019
By SC
Published: 2019-11-17 · Archived: 2026-04-05 23:04:15 UTC
On 15 November 2019, I received a VirusTotal notification for a copy of PlugX that had been uploaded ( Yara -
 PlugXBootLDRCode from https://github.com/citizenlab/malware-signatures/blob/master/malware-families/plugx.yara ).
MD5          : ce67994a4ee7cf90645e93aec084230d
SHA1         : b42c84f851b8b7d2d2ddfbc9ac94e001204faf45
SHA256       : 6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1
Type         : Win32 DLL
First seen   : 2019-11-15 08:04:32 UTC
Last seen    : 2019-11-15 08:04:32 UTC&nbsp
First name   : plugx.dll 
What stood out from the notification (outside of the file being named plugx.dll) was a compilation time of Fri Oct
4 08:34:45 2019 UTC (a little more then a month before the writing of this post).
Initial Validation
This specific rule matches on operations for assembling a set of API calls - shown below
$ yara -s All.yara sample
PlugXBootLDRCode [PlugX,Family]
6b46e36245b5b9ed13c0fbfae730b49c04aba43b98deb75e388e03695ff5cbd1
0x7708:$GetProcAdd: 80 38 47 75 36 80 78 01 65 75 30 80 78 02 74 75 2A 80 78 03 50
0x7786:$L4_LoadLibraryA: C7 85 5C FF FF FF 4C 6F 61 64 C7 85 60 FF FF FF 4C 69 62
0x7859:$L4_ExitThread: C7 85 FC FE FF FF 45 78 69 74 C7 85 00 FF FF FF 54 68 72 65
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
Page 1 of 4

Screenshot of match condition in IDA
As a general note, the -s flag in Yara is used for outputting the matched strings and is extremely useful for
debugging rules and evaluating why a file matched.
From a quick comparison of the strings, a quick Google search found previous reporting confirming this file was
PlugX (ref: http://takahiroharuyama.github.io/blog/2014/03/27/id-slash-idapython-scripts-extracting-plugx-configs/)
DEMO...
THIS IS A DEMO VERSION!!!
\\.\PIPE\RUN_AS_USER(%d)
%WINDIR%\SYSTEM32\SERVICES.EXE
Software\Microsoft\Windows\CurrentVersion\Run
System\CurrentControlSet\Services
debug.hlp
C:\Windows\System32\rundll32.exe "%s" BypassUAC %s
PI[%8.8X]
%s\%d.plg
mytilus3.hlp
%04d-%02d-%02d %02d:%02d:%02d
Overlaps with versions
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
Page 2 of 4

A outstanding point of reference evaluating PlugX is the Sophos report (https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf).  On Page 7, Gabor Szappanos has a table
covering the supported commands.  In this copy, sub_10008DE acts as a command handler for evaluating operator
commands and can be used to evaluate this copy against that from 2014:
In the above screenshot, many of the commands from the 2014 version are present; some additional commands
are present, however, handled withing sub-functions of sub_10008DE.
What did appear unique was a set of commands for monitor clipboard activity:
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
Page 3 of 4

An initial Google search did not show any hits for these being previously documented commands in PlugX -
suggesting it may be a new feature - however, further analysis is needed to validate this.
Source: https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
Page 4 of 4