The National Cybersecurity and Communications Integration Center became aware of multiple malware implants, including...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
RedLeaves and PlugX, that target various vertical industries. How do these malware implants work? How can we counter them?
Attackers exploit system administrators' credentials to launch multiple malware implants, including RedLeaves and PlugX. They work with the open source PowerSploit, a PowerShell tool that ethical penetration testers use to hack systems.
RedLeaves and PlugX/Sogu are based on existing malware code, but have been modified to avoid detection using existing antivirus signatures. After being implanted in the target system, they are executed on systems via a dynamic-link library (DLL) side-loading technique that uses three files:
- a nonmalicious executable to start the installation;
- a malicious DLL loader; and
- an encoded payload file that the loader decodes into memory.
RedLeaves malware connects to the command-and-control (C&C) server over TCP port 443 with HTTPS and skips the secure flag when calling an API function. The data is not encrypted, and there is no SSL handshake, which would normally occur with TCP port 443 traffic. The system name, operating system versions, system uptime, processor specs and other data are collected.
PlugX is a sophisticated Remote Access Tool (RAT) that is used to communicate with the PlugX C&C server over TCP ports 443, 80, 8080 and 53. The PlugX operator can add, remove or update PlugX plug-ins during runtime using Netstat, Keylog, Portmap, SQL and Telnet.
To aid in detecting malware implants, the National Cybersecurity and Communications Integration Center refers to sources, including FireEye, PwC/BAE Systems and Palo Alto Networks. The US CERT alert about these malware implants recommends seven best practices:
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Launch an insider threat program.
- Review logging and alerting data.
- Conduct an independent security (not compliance) audit of the data.
- Create an information sharing program.
- Maintain network and system documentation to aid in timely incident response, including network diagrams, asset owners, types of assets and the latest incident plan.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out what you need to know about signatureless malware detection
Discover how WannaCry affects enterprises' industrial control system networks
Learn how to use a cloud-based sandbox to analyze malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
Using SNMP v3 is a good first step, but it's not enough to prevent attackers from accessing a network through an SNMP-enabled device. Expert Judith ...continue reading
SMS authentication is often used to secure telematics information, but it may not be strong enough. Expert Judith Myerson discusses why, and how to ...continue reading
Two VMware vulnerabilities in vSphere Data Protection were recently patched. Expert Judith Myerson explains how the flaws work and how to defend ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.