Jump to content

Cannot remove Win32/Korplug.OU Trojan


Recommended Posts

No matter how many times I scan, the trojan always re-appears. every single day, it reappears. Is there a way to permanently remove it ?

1622100699452.png

efsw_logs.zip

Link to comment
Share on other sites

  • Administrators

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ELC logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

Link to comment
Share on other sites

23 hours ago, Marcos said:

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ESET Log Collector logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

Thank you, I am doing, I'll tell you again.

Link to comment
Share on other sites

17 hours ago, itman said:

An Eset Korplug detection would be indicative of PlugX based malware usually deployed by APT actors such as Winnti. Eset has reference here: https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

This malware will be a hard one to remove.

Thank you for your guidance.

Link to comment
Share on other sites

On 5/28/2021 at 4:39 PM, Marcos said:

Please enable the LiveGrid Feedback system, detection of potentially unsafe applications and SSL filtering, then run a full disk disk scan and provide fresh ESET Log Collector logs.

Is the threat detected after a reboot? Even if the server is temporarily disconnected from the network?

My ESET file security doesn't have SSL filtering.

efsw_logs.zip

Link to comment
Share on other sites

I would make logs in the Universal Virus Sniffer program,

perhaps there are embedded threads in the legal process

Link to comment
Share on other sites

  • Administrators

Please provide a Procmon boot log. Stop logging only after the threat has been detected after the reboot.

Link to comment
Share on other sites

Posted (edited)

For those not wanting to "wade through" the detailed analysis link I posted above, I have "gleaned" the relevant portions of the article below. I have also underlined notable portions. Finally, this article was written in 2018 and as such, assumed is PlugX malware has evolved from this point. Specifically, it is using a Windows directory other than the one referenced. Also assume a large number of legit processes could be selected in regards to being vulnerable to DLL search order hijacking:

Quote

Dropper - Note this can be anything

The PlugX binary produced by this version of the builder (LZ 2013-8-18) is a self-extracting RAR archive that contains three files. This is sometimes referred in the literature as the PlugX trinity payload.

Payload Installation

Executing the self-extracting RAR archive will drop the three files to the directory chosen during the process. In this case “%AUTO%/RasTls”. The files are: A legitimate signed executable from Kaspersky AV solution named “avp.exe”, MD5 e26d04cecd6c7c71cfbb3f335875bc31, which is susceptible to DLL search order hijacking . The file “avp.exe” when executed will load the second file: “ushata.dll”, MD5 728fe666b673c781f5a018490a7a412a, which in this case is a DLL crafted by the PlugX builder which on is turn will load the third file. The third file: “ushata.DLL.818”, MD5 “21078990300b4cdb6149dbd95dff146f” contains obfuscated and packed shellcode.

Persitence

Next, the payload will start performing different actions to achieve persistence. On Windows 7 and beyond, PlugX creates a folder “%ProgramData%\RasTl” where “RasTl” matches the installation settings defined in the builder. Then, it changes the folder attributes to “SYSTEM|HIDDEN” using the SetFileAttributesW API. Next, copies its three components into the folder and sets all files with the “SYSTEM|HIDDEN” attribute.

The payload also modifies the timestamps of the created directory and files with the timestamps obtained from ntdll.dll using the SetFileTime API.

Then it creates the service “RasTl” where the ImagePath points to “%ProgramData%\RasTl\avp.exe".

If the malware fails to start the just installed service, it will delete it and then it will create a persistence mechanism in the registry by setting the registry value “C:\ProgramData\RasTls\avp.exe” to the key “HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RasTls” using the RegSetValueExW API.

Additional Malware Installed

If the builder options had the Keylogger functionality enabled, then it may create a file with a random name such as “%ProgramData%\RasTl\rjowfhxnzmdknsixtx” that stores the key strokes. If the payload has been built with Screen capture functionality, it may create the folder “%ProgramData%\RasTl \RasTl\Screen” to store JPG images in the format <datetime>.jpg that are taken at the frequency specified during the build process. The payload may also create the file “%ProgramData%\DEBUG.LOG” that contains debugging information about its execution (also interesting that during execution the malware outputs debug messages about what is happening using the OutputDebugString API. This messages could be viewed with DebugView from SysInternals).

Malware Execution

The malicious code completes its mission by starting a new instance of “svchost.exe” and then injects the malicious code into svchost.exe process address space using process hollowing technique. The pictures below shows the first step of the process hollowing technique where the payload creates a new “svchost.exe” instance in SUSPENDED state and then uses WriteProcessMemory API to inject the malicious payload. Then the main thread, which is still in suspended state, is changed in order to point to the entry point of the new image base using the SetThreadContext API. Finally, the ResumeThread API is invoked and the malicious code starts executing. The malware also has the capabilities to bypass User Account Control (UAC) if needed. From this moment onward, the control is passed over “svchost.exe” and Plug-X starts doing its thing.

The screen shot posted shows repeated Eset svchost.exe detections and if you look closely at the Eset Event log, the malware is executing at the same fixed intervals. This would imply a scheduled task element being deployed. However, there could be a remote execution element deployed with the scheduling controlled from the attacker's C&C server.

-Correction- The PlugX malware is running in intervals but they are not fixed. This would point to remote execution triggering.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

A couple other observations about this PlugX malware.

Although Eset is detecting the malicious PlugX code in memory and blocking its execution, it can't terminate the source svchost.exe process. Hence, the restart computer verbiage shown on the alert. This would imply that the svchost.exe was created with Windows security mechanisms such as Protected Process - Light, etc..

The repetitive interval frequency of the PlugX malware execution would be indicative of data upload from prior data harvesting activities. As posted, this malware can install a keylogger, screen capture, you name it additional malware. This also would imply that this additional malware is running undetected on this device.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...