Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick

FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan [1].

The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.

The diagram in figure 1 shows the behavior and relationship of these files.

5132013image001Figure 1: Attack Diagram


In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.


Figure 2: Original Email

Below is the English translation of the email in figure 2.

Li Ping

5132013image005Figure 3: Google Form

Decoy Document

5132013image007Figure 4: Decoy Document

Below is the translation to the document shown above.

The seminar

Attack Analysis

The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.


Figure 5: Payload Relationship

Summary of Dropped Files

Name Md5 Locations Type Encoded/Encrypted Compressed
Ews.exe Ews.exe 721cca40df0f7eab5b5cb069ee8fda9d 721cca40df0f7eab5b5cb069ee8fda9d %TEMP% %TEMP% Exe Exe
OINFOP11.EXE OINFOP11.EXE a31cad2960a660cb558b32ba7236b49e a31cad2960a660cb558b32ba7236b49e %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Exe (clean) Exe (clean)
OInfo11.ocx OInfo11.ocx b355dedbabb145bbf8dd367adac4f8c5 b355dedbabb145bbf8dd367adac4f8c5 %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Binary File Binary File Yes Yes
OInfo11.ISO OInfo11.ISO 128e3fc5ffba06abdd3edab2aff3753f 128e3fc5ffba06abdd3edab2aff3753f %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ Binary File Binary File Yes Yes Yes Yes

Exploit Details

This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.


Figure 6: Exploit Payload Section

Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.


Figure 7: Payload Shellcode

Campaign Characteristics

OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.


Figure 8: Signature Usage

When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE" 200 0, it will begin the loading of the file OInfo11.ocx.


Figure 10: Loader Entrypoint

The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.


Figure 11: Shellcode Example

This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.


Figure 12: Decryption of the ISO file

This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.


Figure 13: DLL location in memory

This is an example of the complete malicious DLL address space in memory.


Artifacts to watch for:

Mutex   \BaseNamedObjects\oleacc-msaa-loaded
Registry Key Registry Key Adds Adds \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
Registry Key Registry Key Sets Value Sets Value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
Folders and Files Folders and Files Hides Hides %ALLUSERS PROFILE%\SXS\



The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.

Keylogging Activity

Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.


Proxy Establishment

This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [], Proxy: [0::0::] to establish the proxy for the C&C communication.


Figure 14: Communication Options

Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.

Mode Description
Disk Disk Access disk drives to modify the files Access disk drives to modify the files
Nethood Nethood List shares List shares
Netstat Netstat List TCP/UDP connections List TCP/UDP connections
Option Option Send system commands to the workstation such as screen lock Send system commands to the workstation such as screen lock
PortMap PortMap Port mapping Port mapping
Process Process Modify the state of processes Modify the state of processes
RegEdit RegEdit Modify registry keys Modify registry keys
Service Service Modify services Modify services
Shell Shell Communicate through the established name pipe to the C&C server Communicate through the established name pipe to the C&C server
SQL SQL SQL database queries SQL database queries
Telnet Telnet Startup telnet server on the victim Startup telnet server on the victim


Figure 15: Functionality Example

C&C Details and Communication

In figure 16, the sample is communicating to over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.


Figure 16: PCAP of C&C communication


Figure 17: Callback Traffic


Figure 18: UDP Beacon


Figure 19: UDP packet content

Whois Information on the IP

inetnum: -

netname: NEWTT-AS-AP

descr: Wharf T&T

Limited descr: 11/F, Telecom Tower,

descr: Wharf T&T Square, 123 Hoi Bun Road

descr: Kwun Tong, Kowloon country: HK

admin-c: EN62-AP

tech-c: BW128-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-HK-NEWTT

mnt-routes: MAINT-HK-NEWTT

mnt-irt: IRT-NEWTT-HK


remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: 20120725

source: APNIC

person: Eric Ng

nic-hdl: EN62-AP

remarks: please report spam or abuse to



address: 11/F Telecom Tower, Wharf T&T Square

address: 123 Hoi Bun Road, Kwun Tong,'

phone: +852-2112-2653 fax-no: +852-2112-7883

country: HK changed: 20070716

mnt-by: MAINT-NEW source: APNIC

person: Benson Wong

nic-hdl: BW128-AP


address: 5/F, Harbour City, Kowloon,

address: Hong Kong

phone: +852-21122651

fax-no: +852-21127883

country: HK

changed: 20070420


source: APNIC

I want to thank the FireEye Labs Team.