The National Cybersecurity and Communications Integration Center became aware of multiple malware implants, including...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
RedLeaves and PlugX, that target various vertical industries. How do these malware implants work? How can we counter them?
Attackers exploit system administrators' credentials to launch multiple malware implants, including RedLeaves and PlugX. They work with the open source PowerSploit, a PowerShell tool that ethical penetration testers use to hack systems.
RedLeaves and PlugX/Sogu are based on existing malware code, but have been modified to avoid detection using existing antivirus signatures. After being implanted in the target system, they are executed on systems via a dynamic-link library (DLL) side-loading technique that uses three files:
- a nonmalicious executable to start the installation;
- a malicious DLL loader; and
- an encoded payload file that the loader decodes into memory.
RedLeaves malware connects to the command-and-control (C&C) server over TCP port 443 with HTTPS and skips the secure flag when calling an API function. The data is not encrypted, and there is no SSL handshake, which would normally occur with TCP port 443 traffic. The system name, operating system versions, system uptime, processor specs and other data are collected.
PlugX is a sophisticated Remote Access Tool (RAT) that is used to communicate with the PlugX C&C server over TCP ports 443, 80, 8080 and 53. The PlugX operator can add, remove or update PlugX plug-ins during runtime using Netstat, Keylog, Portmap, SQL and Telnet.
To aid in detecting malware implants, the National Cybersecurity and Communications Integration Center refers to sources, including FireEye, PwC/BAE Systems and Palo Alto Networks. The US CERT alert about these malware implants recommends seven best practices:
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Launch an insider threat program.
- Review logging and alerting data.
- Conduct an independent security (not compliance) audit of the data.
- Create an information sharing program.
- Maintain network and system documentation to aid in timely incident response, including network diagrams, asset owners, types of assets and the latest incident plan.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out what you need to know about signatureless malware detection
Discover how WannaCry affects enterprises' industrial control system networks
Learn how to use a cloud-based sandbox to analyze malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
A cryptographic weakness was discovered in the Telerik web UI. Expert Judith Myerson alerts readers about this weakness and the alternative options ...continue reading
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how ...continue reading
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.