{ "id": "ff81ad02-e8e9-4d5d-b380-14314f3f682d", "created_at": "2026-04-06T00:19:06.617012Z", "updated_at": "2026-04-10T13:12:43.747489Z", "deleted_at": null, "sha1_hash": "7a4063cf9f0ab09042c47cf4b0a410ec1ba47d82", "title": "Unpacking the spyware disguised as antivirus | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 283331, "plain_text": "Unpacking the spyware disguised as antivirus | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2016-08-24 · Archived: 2026-04-05 14:47:48 UTC\r\nRecently we got access to several elements of the espionage toolkit that has been captured attacking Vietnamese\r\ninstitutions. During the operation, the malware was used to dox 400,000 members of Vietnam Airlines.\r\nThe payload, distributed disguised as antivirus, is a variant of Korplug RAT (aka PlugX) – a spyware with former\r\nassociations with Chinese APT groups, and known from targeted attacks at important institutions of various\r\ncountries. In this article we will describe the process of extracting the final payload out of it’s cover.\r\nAnalyzed samples\r\nSet #1:\r\n884d46c01c762ad6ddd2759fd921bf71  – McAfee.exe (harmless: reference)\r\nc52464e9df8b3d08fc612a0f11fe53b2  – McUtil.dll (shellcode loader)\r\n28f151ae7f673c0cf369150e0d44e415  – McUtil.dll.mc – shellcode\r\n321a2f0abe47977d5c8663bd7a7c7d28 – unpacked payload (DLL)\r\nExecution flow:\r\nMcAfee.exe -\u003e McUtil.dll -\u003e McUtil.dll.mc -\u003e payload (DLL)\r\nA look at the package\r\nThis spyware has an interesting, modular package. As a whole, it tries to pretend to be McAfee antivirus:\r\nIf we take a look at the executable, we see that is has been signed by the original certificate:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 1 of 10\n\nIt is not fake – the executable is a legitimate product. However, it is bundled with the DLL that is not signed – and\r\nthis it the point that attackers used in order to hijack the execution.\r\nNote that the app used in the attacks is very old (compiled in 2008). The current versions of McAfee Antivirus that\r\nwe managed to test are no longer vulnerable to this type of abuse.\r\nBehavioral analysis\r\nAfter being deployed, the application runs silently. We can see the main component executing svchost.exe, and\r\nthen terminating itself. It is caused by the fact that the malicious code has been injected into svchost, and will\r\ncontinue operating from there. Looking at the current directory of svchost.exe we can find that it inherits default\r\ndirectory of the malicious app:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 2 of 10\n\nThe bot makes reconnaissance in the LAN by scanning for other computers. It enumerates full range of local\r\naddresses, from the lowest to the highest:\r\nIt also tried to connect with it’s C\u0026C (air.dscvn.org), however, at the moment of tests the domain was down:\r\nUnpacking\r\nThe application have several layers of loaders before it reach the final functionality. The exe file, as\r\nwell as the DLL are harmless. All the the malicious features lies in the external file, that is a blocks\r\nof obfuscated shellcode. Within the shellcode, another DLL is hidden – that is the core spy bot.\r\nLoading the shellcode\r\nThe payload is loaded in an obfuscated way containing some interesting tricks. The authors took great care that it\r\nwill not be easy to analyze the modules separately.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 3 of 10\n\nExecution starts from the harmless McAfee.exe. Malware utilized the fact that this application loads a library\r\ncalled McUtil.dll from the startup directory. It doesn’t make any integrity check, so in fact, if we rename any\r\nlibrary to the desired name, the executable will just load it:\r\nMcUtil.dll is supposed to deploy the next file: McUtil.dll.mc – however, to make the flow more difficult to follow,\r\nit doesn’t run it directly. Instead, it patches the caller executable (McAfee.exe) and makes it execute the function\r\nresponsible for reading and loading the next file. Below we can see the fragment of code, that writes the hook into\r\nthe memory:\r\nThat’s how the above fragment of caller’s code looks after patching. Instead of the first two lines we can see a\r\njump into the McUtil.dll:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 4 of 10\n\nPatching function is in DllMain of the McUtil.dll – so, it is called on load. The patched line is just after the call\r\nthat loaded the library:\r\nSo, the hook will be executed as soon as the loading function returns.\r\nInside the function called by the hook, the external file is open:\r\nIt is read into the memory and then execution is redirected there:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 5 of 10\n\nUnpacking the final payload\r\nThe shellcode is heavily obfuscated:\r\nThis is not the main stage, but an unpacker and loader of the main spyware. It decompresses the following content\r\ninto a buffer:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 6 of 10\n\nThen it reserves additional memory and starts remapping this content, chunk by chunk. By the way in which it\r\nparses it, we can notice similarity with process of remapping raw PE file into a virtual image. And indeed, the\r\nunpacked content is a PE file – only the headers are distorted. Delimiters XV were used to substitute the typical\r\n“MZ”.. “PE” values:\r\nReconstructing the header is not difficult – we must just substitute back those values by their real meaning:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 7 of 10\n\nAfter this small modification, the dumped image can be parsed as a normal PE file\r\n(321a2f0abe47977d5c8663bd7a7c7d28). Sections are not named, but all the content is valid:\r\nFile characteristics describes the payload as a DLL, however, it doesn’t have any export table, so we cannot read\r\nit’s original name.\r\nLooking at the imports loaded by this piece we can suspect that it is the final payload. It loads and uses many\r\nfunctions related to the network communication, i.e:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 8 of 10\n\nWe can also find the fragment responsible for retrieving the local IP of the current machine and performing LAN\r\nscanning that we observed during behavioral analysis.\r\nAuthors took care so that the payload will not be run independently. That’s why they checks if all the elements are\r\ncalled in the expected order. We can find hardcoded names of the main elements, used for the check:\r\nConclusion\r\nUsers are more vigilant about executables – but this time, neither EXE nor DLL file contained the malicious code\r\n– they were just used as loaders of the shellcode.\r\nMalwarebytes Anti-Malware detects this threat as ‘Trojan.Korplug’.\r\nAppendix\r\nhttp://e.gov.vn/theo-doi-ngan-chan-ket-noi-va-xoa-cac-tap-tin-chua-ma-doc-a-NewsDetails-37486-14-186.html –\r\ninfo from Vietnamese CERT\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/ – similar\r\nattack from 2013\r\nhttp://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/ – about the\r\nKorplug RAT targeting military of Afganistan and Tajikistan\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 9 of 10\n\nhttps://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf – Korplug RAT analysis (presentation from BlackHat)\r\nhttps://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf – about NanHaiShu APT\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/" ], "report_names": [ "unpacking-the-spyware-disguised-as-antivirus" ], "threat_actors": [ { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434746, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a4063cf9f0ab09042c47cf4b0a410ec1ba47d82.pdf", "text": "https://archive.orkl.eu/7a4063cf9f0ab09042c47cf4b0a410ec1ba47d82.txt", "img": "https://archive.orkl.eu/7a4063cf9f0ab09042c47cf4b0a410ec1ba47d82.jpg" } }