pixel_dreams - Fotolia
The National Cybersecurity and Communications Integration Center became aware of multiple malware implants, including RedLeaves and PlugX, that target various vertical industries. How do these malware implants work? How can we counter them?
Attackers exploit system administrators' credentials to launch multiple malware implants, including RedLeaves and PlugX. They work with the open source PowerSploit, a PowerShell tool that ethical penetration testers use to hack systems.
RedLeaves and PlugX/Sogu are based on existing malware code, but have been modified to avoid detection using existing antivirus signatures. After being implanted in the target system, they are executed on systems via a dynamic-link library (DLL) side-loading technique that uses three files:
- a nonmalicious executable to start the installation;
- a malicious DLL loader; and
- an encoded payload file that the loader decodes into memory.
RedLeaves malware connects to the command-and-control (C&C) server over TCP port 443 with HTTPS and skips the secure flag when calling an API function. The data is not encrypted, and there is no SSL handshake, which would normally occur with TCP port 443 traffic. The system name, operating system versions, system uptime, processor specs and other data are collected.
PlugX is a sophisticated Remote Access Tool (RAT) that is used to communicate with the PlugX C&C server over TCP ports 443, 80, 8080 and 53. The PlugX operator can add, remove or update PlugX plug-ins during runtime using Netstat, Keylog, Portmap, SQL and Telnet.
To aid in detecting malware implants, the National Cybersecurity and Communications Integration Center refers to sources, including FireEye, PwC/BAE Systems and Palo Alto Networks. The US CERT alert about these malware implants recommends seven best practices:
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Launch an insider threat program.
- Review logging and alerting data.
- Conduct an independent security (not compliance) audit of the data.
- Create an information sharing program.
- Maintain network and system documentation to aid in timely incident response, including network diagrams, asset owners, types of assets and the latest incident plan.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out what you need to know about signatureless malware detection
Discover how WannaCry affects enterprises' industrial control system networks
Learn how to use a cloud-based sandbox to analyze malware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading