« December 2014 | Main | February 2015 »

2 posts from January 2015

Jan 29, 2015

Analysis of a Recent PlugX Variant - “P2P PlugX”

This is Shusei Tomonaga at Analysis Center.

PlugX, a Remote Access Tool (RAT) often seen in many APT cases, has been in the wild for some years. Various sectors in Japan have been suffering from this type of attack from 2012, and Analysis Center has been working to catch up on the evolution of the PlugX family since then.

In this blog post, I will write about a recent PlugX variant which we first encountered in October 2014. The variant has interesting new aspects and the most significant one, in my view, is the P2P function - so let me tentatively name it “P2P PlugX”.

Size Expansion of Configuration Information

PlugX is designed to run based on its configuration information stored in itself. Our analysis revealed that the size of the configuration information has been expanded for the recent variant. While the former ones have either 0x2540 bytes (Observed since August 2013) or 0x2d58 bytes (Observed since June 2014), the recent one has 0x36a4 bytes, roughly 20% larger in size. This has led it to do more, such as:

  • Communication with more C&C servers – up to 16
  • P2P communication between infected nodes
  • MAC address check - PlugX runs if the MAC address of an infected host coincides with configuration information in itself (If not specified in the configuration, PlugX runs on any host).
  • (To bypass UAC) configurable setting for the process to abuse

Other than these, new coding algorithm has been introduced.

I will pick up some of the interesting features for more description. For details of the configuration file, you can refer to Appendix A in the bottom of this post.

Additional Communication Protocol for C&C Servers

Former versions of PlugX used to set four C&C Server addresses to communicate with. With the P2P PlugX, attackers can set up to 16 C&C servers. Communication protocol with C&C servers has also been improved.

Former PlugX could only configure four communication protocols, but for P2P PlugX, protocol number 255 became available. This protocol is reserved by IANA, but no specific application is assigned.

Table 1: Configurations and Communication Protocol which PlugX uses to connect to C&C Servers
Configuration No.Protocol Number
(In IP header)
Data Format
1 6 (TCP) Binary
2 6 (TCP) HTTP
3 17 (UDP) DNS
4 1 (ICMP) Binary
5 255 Binary

P2P Function Enabled

P2P PlugX can communicate with other similarly-infected hosts. When one PlugX succeeds to infect a host, it then accesses to every IP address in the local network one-by-one and communicate with any connectable nodes, using one of the following protocols listed in Table 2.

Table 2: Configurations and Communication Protocols which P2P PlugX uses to communicate by P2P
Configuration No.Protocol Number
(In IP header)
Data Format
1 6 (TCP) Binary
2 17 (UDP) DNS
3 1 (ICMP) Binary
4 255 Binary

With P2P protocol, even if a PlugX exists in an environment with no direct access to the Internet, it may communicate with C&C server through other infected hosts. We have also seen some P2P-disabled samples.

Note that this P2P communication theoretically can be applied to any other TCP/UDP ports. But in cases which JPCERT/CC has observed, P2P PlugX only uses either TCP/1357 or UDP/1357 for P2P communication. If you see any scanning activity to TCP/1357 or UDP/1357, we highly recommend that you conduct further investigation.

New Encoding Algorithm

PlugX uses a single encoding algorithm for inbound/outbound data, configuration, key logging data and strings used internally. Its encoding method has been modified from time to time, aligned with major upgrade of PlugX itself.

Likewise, P2P PlugX has a new encoding algorithm. Here’s a python code to decode.

def plugx_decode(data):
    decode_key = struct.unpack_from('<I', data, 0)[0]
    out = ''
    
    # XOR Values might possibly be varied.
    key1 = decode_key ^ 20140918
    key2 = decode_key ^ 353
    
    for c in data[4:]:
        # ADD/SUB Values might possibly be varied.
        key1 += 3373
        key2 -= 39779
        
        dec = ord(c) ^ (((key2 >> 16) & 0xff ^ ((key2 & 0xff ^ (((key1 >> 16) & 0xff ^ (key1 - (key1 >> 8) & 0xff)) - (key1 >> 24) & 0xff)) - (key2 >> 8) & 0xff)) - (key2 >> 24) & 0xff)
        out = out + chr(dec)
    
    return out

What’s Next?

P2P PlugX introduced several new features which surely made attackers to manage their attack infrastructure efficiently. We are sure that PlugX will keep evolving, and continuous analysis will be necessary for preventing/mitigating possible incident. We will keep you updated on any new findings.

Thank you very much for reading.

 - Shusei Tomonaga

(For any inquiry or incident report regarding PlugX, please contact info[at]jpcert.or.jp)


Appendix A: Entire Configuration of P2P PlugX
Table 3: Entire Configuration of P2P PlugX
OffsetLengthDescription
0x0000 20 Not used
0x0014 4 Flag if remove own DLL from list of modules
0x0018 4 Flag enable/disable key logger
0x001c 12 Not used
0x0028 4 Duration of suspend activity
0x002c 4 Duration of suspend activity
0x0030 672 Network Access Flag (for a week with 15min interval)
0x02d0 4 * 4 DNS Server IP Address x 4
0x02e0 68 * 16 control Server Information x 16
0x0720 128 * 16 HTTP Access URL x 16
0x0f20 196 * 4 Proxy/authentication config x 4
0x1230 4 Method to make it resident (e.g. Create Service. Create Run Key)
0x1234 512 Folder to Install
0x1434 512 Service Name
0x1634 512 Service Display Name
0x1834 512 Service Description
0x1a34 4 Registry Root Key Value for Run Registry Key Configuration
0x1a38 512 Run Registry Key Name
0x1c38 512 Run Registry Key Value
0x1e38 4 Enable/Disable Code injection
0x1e3c 512 * 4 Program Name for Code Injection x 4
0x263c 4 Enable/Disable Code injection for UAC Bypass
0x2640 512 * 4 Program Name to inject code for UAC Bypass x 4
0x2e40 512 Authentication Character String for PlugX
0x3040 512 Authentication Character String for C&C Server
0x3240 512 Mutex Name
0x3440 4 Enable/Disable Screen Capture
0x3444 4 * 5 Screen Capture Configuration Value
0x3458 528 Folder to Store Screen Captures
0x3658 4 Enable/Disable P2P(TCP)
0x365c 4 P2P(TCP) Port Number
0x3660 4 Enable/Disable P2P(UDP)
0x3664 4 P2P(UDP) Port Number
0x3668 4 Enable/Disable P2P(ICMP)
0x366c 4 P2P(ICMP) Port Number
0x3670 4 Enable/Disable P2P(IP Protocol Number 255)
0x3674 4 P2P(IP Protocol Number 255) Port Number
0x3678 4 Enable/Disable P2P Scanning
0x367c 4 * 4 P2P Scanning Beginning Address x 4
0x368c 4 * 4 P2P Scanning End Address x 4
0x369c 6 Run program if this MAC Address is used
0x36a2 2 Not used
Appendix B:  SHA-256 hash value of P2P PlugX
  • bc65e2859f243ff45b12cd184bfed7b809f74e67e5bb61bc92ed94058d3d2515
  • 93c85a8dd0becc4e396eea2dc15c0010ff58d2b873d44fd7e45711a27cfe613b
  • 0ff134057a8b2e31b148fedfdd185f5b1a512149499a8c5c0915cf10b10a613e

Jan 15, 2015

AfricaCERT Workshop and Training in Mauritius

Happy New Year 2015 to everyone!

I am Toru Yamauchi, Research Director of JPCERT/CC.

JPCERT/CC has been contributing to the CSIRT community in Africa in order to enhance the global cybersecurity activity. In the rapid ICT development in Africa, it is getting more important for them to accelerate human development in cybersecurity area and to establish regional cooperation especially among National CSIRTs. I would like to introduce our recent on-site training program in Mauritius by my colleague Sparky (Mr. Koichiro Komiyama) and me in late November 2014, based on JPCERT/CC’s collaboration with AfricaCERT.

 

Outline of Mauritius and ICT

The Republic of Mauritius is an island nation in the Indian Ocean which is located about 2,000 kilometers off the southeast coast of the African Continent.  The majority of the population is Indo-Mauritians. We felt that its culture is different from the African Continent because of its history.

 

Government of Mauritius is promoting the ICT industry as well as tourism industry. It aims to make the country an ICT hub in the Indian Ocean through the Internet and invites ICT companies from overseas. The headquarters of AFRINIC* are also located in Ebene City, Mauritius.

* African Network Information Center as the Regional Internet Registry for Africa and Indian Ocean.

Img_2063

(On a beautiful street in an early morning in Port Louis, the capital of Mauritius)

 

 

Training Courses at AfricaCERT Workshop, Mauritius

We conducted a training program at Hennessy Park Hotel, Ebene City on November 25, 2014. It was organized as the AfricaCERT workshop which was one of the programs under AFRINIC 21.  

 

AfricaCERT was officially established in 2012 as the African forum of Computer Emergency Response Teams. Currently the forum is led by Mr. Jean Robert Hountomey, Mr. Jacques Houngbo and Mr. Marcus Adomey. JPCERT/CC has been supporting their activities mainly in the CSIRT Training Courses for its technical staff. We have been conducting 10 training courses from November 2010 up to this time. In Mauritius, we also collaborated with FIRST which provides the training courses (TRANSITS) for CSIRT professionals all over the world. In the course we accommodated about 30 participants from various African regions: Benin, Botswana, Burkina Faso, Cameroon, Chad, the Comoros, Congo, Djibouti, Gabon, Ghana, Ivory Coast, Kenya, La Reunion, Mauritius, Mozambique, Rwanda, South Africa, Tunisia and Zambia. The participants include some staff working at a National CSIRT.   

 

Img_2245_2

(At the AfricaCERT Workshop)

 

In JPCERT/CC’s training, we had the following two parts:

i) Technical exercise on Apache Log Analysis (Basic and Advanced)

ii) Introduction of Cybersecurity in Japan, including JPCERT/CC’s activities

 

Sparky led the Apache Log Analysis (Basic and Advanced) exercise. He delivered intensive hands-on training to provide practical skills and capabilities in incident response which can be utilized at their local organizations. This exercise was timely because Apache log analysis is one of the key techniques to deal with web-based attacks such as XSS (cross site scripting), CSRF (cross site request forgeries) and so forth. I hope that the trainees continue to study how to analyze the indicators like Apache log, which is needed for their CSIRT operations.

 

Img_2191

(Sparky at the training)

 

Subsequently, I gave a lecture on “Cybersecurity in Japan and JPCERT/CC”. Especially, I introduced the “Cyber Security Basic Act”, which was just approved by the Japanese Diet on November 6, 2014 to strengthen Japan’s cybersecurity measures. I also talked about the roles of JPCERT/CC as a technical CSIRT and a neutral organization. Some participants asked the reason why JPCERT/CC conducts the training in Africa. We answered that we hope to develop human resources not only for Africa but also for Japan itself under the global Internet space. ”Your security is my security” – it is important to pay attention to security capability of other stakeholders of the Internet in order to enhance the cybersecurity in a global level. I was personally happy that Dr. Nii Quaynor, “Father of African Internet” who has been supporting our activities from the beginning, seconded our point of view.

 

 

Friendship with the Security Community in Africa

Besides the trainings, we were able to build up a good relationship with the people of AfricaCERT. Sparky is already known in AfricaCERT community as one of the Board Members of FIRST.

 

On November 28, we were invited to the national event of Cybersecurity Day by Mauritian National Computer Security Incident Response Team (CERT-MU). We were so impressed by the cybersecurity policies implemented by Mauritius people.

 

We spent a significant week in Mauritius in supporting the AfricaCERT event. JPCERT/CC will keep in touch with them to maintain the peace and safety of the Internet in the global community. Therefore we are happy to work with not only AfricaCERT but any other National/Industry CSIRTs in this rapidly growing region.

 

If you have any inquiries on this topic or our CSIRT training programs, please contact us at “global-cc[at]jpcert.or.jp”.

 

Thank you for reading.

-        Toru Yamauchi