Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

BackDoor.PlugX.93

Added to the Dr.Web virus database: 2021-10-22

Virus description added:

Packer: absent

Compilation date: 2020-08-13

  • SHA1 hash: a8bff99e1ea76d3de660ffdbd78ad04f81a8c659

Description

The PlugX backdoor module is written in C and is designed to decrypt the shellcode from the registry that loads the main backdoor into memory.

Operating routine

At the beginning of the work, the backdoor receives the address of the VirtualProtect() function by hash, which it uses to change access rights to PAGE_EXECUTE_READWRITE, starting from the function at 0x10001000 and ending with the entire .text section:

#drweb

The function of getting the address of the function by the hash passed as a parameter:

#drweb

#drweb

Script to get a function by hash:


import struct
 
[code]ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
 
max_bits = 32
 
library_path_list = [...] # absolute path dlls
 
def get_func_addr(hash):
    for library_path in library_path_list:
        library = library_path.split('\\')
        name_dll = library[len(library) - 1].upper() + b'\x00'
 
        hash_name_dll = 0
        for i in name_dll:
            hash_name_dll = ord(i) + ror(hash_name_dll, 0x0D, max_bits)
            hash_name_dll = 0 + ror(hash_name_dll, 0x0D, max_bits)
 
        pe = pefile.PE(library_path)
        for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
            func_name = exp.name + b'\x00'
 
            hash_name_func = 0
            for i in func_name:
                hash_name_func = ord(i) + ror(hash_name_func, 0x0D, max_bits)
 
            if (hash_name_dll + hash_name_func == hash):
                print '{}-> 0x{:08x} -> {}'.format(name_dll, hash, exp.name)
                return

Changing the permissions to PAGE_EXECUTE_READWRITE was necessary in order to decrypt the code using the XOR operation:

#drweb

There is also a version of the backdoor with dynamic XOR encryption. With decryption at the beginning of the function:

#drweb

#drweb

And with encryption at the end of the function:

#drweb

#drweb

Facilitating the work of the script for IDAPython:


import idaapi
 
def xor_dec(address, count, key):
    for i in xrange(count):
        idaapi.patch_dword(address, idaapi.get_dword(address) ^ key)   
        key += idaapi.get_dword(address)
        address += 4

Before starting to perform malicious actions, the backdoor, as in the case of VirtualProtect(), receives the addresses of other functions it needs to work:

#drweb

Received features:

Function name Hash
CloseHandle0x528796C6
CreateFileA0x4FDAF6DA
DeleteFileA0x13DD2ED7
ExitProcess0x56A2B5F0
GetAdaptersInfo0x62C9E1BD
GetModuleFileNameA0xFE61445D
GetSystemDirectoryA0x60BCDE05
LoadLibraryA0x726774C
ReadFile0xBB5F9EAD
RegCloseKey0x81C2AC44
RegDeleteValueA0x3846A3A8
RegEnumValueA0x2EC95AA4
RegOpenKeyExA0x3E9E3F88
RegQueryValueExA0x8FF0E305
VirtualAlloc0xE553A458
VirtualFree0x300F2F0B
VirtualProtect0xC38AE110
WinExec0x876F8B31
WriteFile0x5BAE572D

In addition, the backdoor checks if it is executed in a sandbox:

#drweb

After receiving the function addresses and checking for execution in the sandbox, BackDoor.PlugX.93 removes the updatecfgSetup task from the task scheduler:

#drweb

The key for shellcode encryption is MD5 from the following registry key values:

 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate
HKLM\System\ControlSet001\Control\ComputerName\ComputerName

#drweb

The shellcode is stored in the following registry keys:


HKLM\Software\BINARY
HKLM\Software\BINARY

#drweb

Before running the shellcode, it will be decrypted in 2 steps - first, using the RC4 algorithm:

#drweb

And then with XOR:

#drweb

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android