Cannot remove Win32/Korplug.OU Trojan

[P0RPL4 0]

No matter how many times I scan, the trojan always re-appears. every single day, it reappears. Is there a way to permanently remove it ?

efsw_logs.zip

[Marcos 4,931]

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ELC logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

[itman 1,630]

An Eset Korplug detection would be indicative of PlugX based malware usually deployed by APT actors such as Winnti. Eset has reference here: https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

This malware will be a hard one to remove.

[P0RPL4 0]

23 hours ago, Marcos said:

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ESET Log Collector logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

Thank you, I am doing, I'll tell you again.

[P0RPL4 0]

17 hours ago, itman said:

An Eset Korplug detection would be indicative of PlugX based malware usually deployed by APT actors such as Winnti. Eset has reference here: https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

This malware will be a hard one to remove.

Thank you for your guidance.

[P0RPL4 0]

On 5/28/2021 at 4:39 PM, Marcos said:

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ESET Log Collector logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

My ESET file security doesn't have SSL filtering.

efsw_logs.zip

[itman 1,630]

Here's a detailed technical analysis of PlugX malware: https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/ .

Again, removal of this will require higher level malware removal assistance.

Edited May 30, 2021 by itman

[safety 5]

I would make logs in the Universal Virus Sniffer program,

perhaps there are embedded threads in the legal process

[Marcos 4,931]

Please provide a Procmon boot log. Stop logging only after the threat has been detected after the reboot.

[itman 1,630]

For those not wanting to "wade through" the detailed analysis link I posted above, I have "gleaned" the relevant portions of the article below. I have also underlined notable portions. Finally, this article was written in 2018 and as such, assumed is PlugX malware has evolved from this point. Specifically, it is using a Windows directory other than the one referenced. Also assume a large number of legit processes could be selected in regards to being vulnerable to DLL search order hijacking:

Quote

Dropper - Note this can be anything

The PlugX binary produced by this version of the builder (LZ 2013-8-18) is a self-extracting RAR archive that contains three files. This is sometimes referred in the literature as the PlugX trinity payload.

Payload Installation

Executing the self-extracting RAR archive will drop the three files to the directory chosen during the process. In this case “%AUTO%/RasTls”. The files are: A legitimate signed executable from Kaspersky AV solution named “avp.exe”, MD5 e26d04cecd6c7c71cfbb3f335875bc31, which is susceptible to DLL search order hijacking . The file “avp.exe” when executed will load the second file: “ushata.dll”, MD5 728fe666b673c781f5a018490a7a412a, which in this case is a DLL crafted by the PlugX builder which on is turn will load the third file. The third file: “ushata.DLL.818”, MD5 “21078990300b4cdb6149dbd95dff146f” contains obfuscated and packed shellcode.

Persitence

Next, the payload will start performing different actions to achieve persistence. On Windows 7 and beyond, PlugX creates a folder “%ProgramData%\RasTl” where “RasTl” matches the installation settings defined in the builder. Then, it changes the folder attributes to “SYSTEM|HIDDEN” using the SetFileAttributesW API. Next, copies its three components into the folder and sets all files with the “SYSTEM|HIDDEN” attribute.

The payload also modifies the timestamps of the created directory and files with the timestamps obtained from ntdll.dll using the SetFileTime API.

Then it creates the service “RasTl” where the ImagePath points to “%ProgramData%\RasTl\avp.exe".

If the malware fails to start the just installed service, it will delete it and then it will create a persistence mechanism in the registry by setting the registry value “C:\ProgramData\RasTls\avp.exe” to the key “HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasTls” using the RegSetValueExW API.

Additional Malware Installed

If the builder options had the Keylogger functionality enabled, then it may create a file with a random name such as “%ProgramData%\RasTl\rjowfhxnzmdknsixtx” that stores the key strokes. If the payload has been built with Screen capture functionality, it may create the folder “%ProgramData%\RasTl \RasTl\Screen” to store JPG images in the format <datetime>.jpg that are taken at the frequency specified during the build process. The payload may also create the file “%ProgramData%\DEBUG.LOG” that contains debugging information about its execution (also interesting that during execution the malware outputs debug messages about what is happening using the OutputDebugString API. This messages could be viewed with DebugView from SysInternals).

Malware Execution

The malicious code completes its mission by starting a new instance of “svchost.exe” and then injects the malicious code into svchost.exe process address space using process hollowing technique. The pictures below shows the first step of the process hollowing technique where the payload creates a new “svchost.exe” instance in SUSPENDED state and then uses WriteProcessMemory API to inject the malicious payload. Then the main thread, which is still in suspended state, is changed in order to point to the entry point of the new image base using the SetThreadContext API. Finally, the ResumeThread API is invoked and the malicious code starts executing. The malware also has the capabilities to bypass User Account Control (UAC) if needed. From this moment onward, the control is passed over “svchost.exe” and Plug-X starts doing its thing.

The screen shot posted shows repeated Eset svchost.exe detections and if you look closely at the Eset Event log, the malware is executing at the same fixed intervals. This would imply a scheduled task element being deployed. However, there could be a remote execution element deployed with the scheduling controlled from the attacker's C&C server.

-Correction- The PlugX malware is running in intervals but they are not fixed. This would point to remote execution triggering.

Edited May 31, 2021 by itman

[itman 1,630]

A couple other observations about this PlugX malware.

Although Eset is detecting the malicious PlugX code in memory and blocking its execution, it can't terminate the source svchost.exe process. Hence, the restart computer verbiage shown on the alert. This would imply that the svchost.exe was created with Windows security mechanisms such as Protected Process - Light, etc..

The repetitive interval frequency of the PlugX malware execution would be indicative of data upload from prior data harvesting activities. As posted, this malware can install a keylogger, screen capture, you name it additional malware. This also would imply that this additional malware is running undetected on this device.

Edited May 31, 2021 by itman