Detecting possible PlugX activity on an endpoint is a serious matter, as PlugX is a well-known remote access Trojan (RAT) often used by cybercriminals for malicious purposes. If you suspect PlugX activity on an endpoint, here are some steps you can take to investigate and mitigate the situation:
1. Isolate the Endpoint: Disconnect the affected endpoint from the network to prevent further communication with the attacker or the command and control server.
2. Collect Evidence: Gather as much information as possible about the suspected activity. This may include logs, system snapshots, and unusual files or processes. Key indicators to look for include:
- Unusual network traffic patterns.
- Unfamiliar or suspicious processes running in memory.
- Unusual or unauthorized files and registry entries.
- Unexplained system behaviour or performance issues
- Review the defender logs
3. Analyze the Endpoint: Use antivirus or anti-malware software to perform a thorough scan of the endpoint. Be sure to keep the software and signatures updated to ensure it detects the latest threats.
4. Check for Persistence Mechanisms: PlugX often uses persistence mechanisms to survive system reboots. Look for suspicious autostart entries in the Windows Registry, scheduled tasks, and service configurations. You can use tools like Autoruns to help with this.
5. Review Network Traffic: Analyze network traffic logs to identify any suspicious connections or traffic patterns. Pay attention to outgoing traffic, as PlugX communicates with a command and control server.
6. Identify Artifacts: Examine the endpoint for any artifacts such as PlugX droppers, configuration files, and binaries. Be cautious while handling these artifacts, as they may contain malware.
7. Document Findings: Document all findings, including timestamps, file names, IP addresses, and any other relevant information. This documentation will be important for further analysis and incident response.
8. Incident Response: If you confirm the presence of PlugX or any other malware, inform the IT security team. Isolate the affected system from the network and consider reimaging the endpoint to ensure the complete malware removal.
Indicator of Compromise from IP - 160[.]20[.]147[.]254
| File name | SHA256 | Detection name |
|---|---|---|
| x32dbg.exe | aec5cf913773459da0fd30bb282fb0144b85717aa6coe660e81a0bad24a2f23e15 | Legitimate Windows debugger |
| x32bridge.dll | 0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9 | Trojan.Win32.KORPLUG.AJ |
| akm.dat | 0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799 | Trojan.Win32.KORPLUG.AJ |
| x32bridge.dat | e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41aec0e172 | Trojan.Win32.KORPLUG.AJ.enc |
| DismCore.dll | b4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7 | Trojan.Win32.KORPLUG.AJ |
| Groza_1.dat | 553ff37a1eb7e8dc226a83fa143d6aab8a305771bf0cec7b94f4202dcd1f55b2 | Trojan.Win32.KORPLUG.AJ.enc |