pixel_dreams - Fotolia

How do the malware implants RedLeaves and PlugX work?

Malware implants RedLeaves and PlugX infected networked systems in multiple industries and leveraged stolen administrator credentials. Expert Judith Myerson explains how it works.

The National Cybersecurity and Communications Integration Center became aware of multiple malware implants, including RedLeaves and PlugX, that target various vertical industries. How do these malware implants work? How can we counter them?

Attackers exploit system administrators' credentials to launch multiple malware implants, including RedLeaves and PlugX. They work with the open source PowerSploit, a PowerShell tool that ethical penetration testers use to hack systems.

RedLeaves and PlugX/Sogu are based on existing malware code, but have been modified to avoid detection using existing antivirus signatures. After being implanted in the target system, they are executed on systems via a dynamic-link library (DLL) side-loading technique that uses three files:

  • a nonmalicious executable to start the installation;
  • a malicious DLL loader; and
  • an encoded payload file that the loader decodes into memory.

RedLeaves malware connects to the command-and-control (C&C) server over TCP port 443 with HTTPS and skips the secure flag when calling an API function. The data is not encrypted, and there is no SSL handshake, which would normally occur with TCP port 443 traffic. The system name, operating system versions, system uptime, processor specs and other data are collected.

PlugX is a sophisticated Remote Access Tool (RAT) that is used to communicate with the PlugX C&C server over TCP ports 443, 80, 8080 and 53. The PlugX operator can add, remove or update PlugX plug-ins during runtime using Netstat, Keylog, Portmap, SQL and Telnet.

To aid in detecting malware implants, the National Cybersecurity and Communications Integration Center refers to sources, including FireEye, PwC/BAE Systems and Palo Alto Networks. The US CERT alert about these malware implants recommends seven best practices:

  1. Implement a vulnerability assessment and remediation program.
  2. Encrypt all sensitive data in transit and at rest.
  3. Launch an insider threat program.
  4. Review logging and alerting data.
  5. Conduct an independent security (not compliance) audit of the data.
  6. Create an information sharing program.
  7. Maintain network and system documentation to aid in timely incident response, including network diagrams, asset owners, types of assets and the latest incident plan.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out what you need to know about signatureless malware detection

Discover how WannaCry affects enterprises' industrial control system networks

Learn how to use a cloud-based sandbox to analyze malware

This was last published in July 2017

Dig Deeper on Threats and vulnerabilities