All the files under these folders will be copied to {USB_volume}:Usb Disk:
- {USB_volume}:
- {USB_volume}:Kaspersky
- {USB_volume}:KasperskyUsb Drive
- {USB_volume}:Usb Drive3.0
- {USB_volume}:KasperskyRemovable Disk (Including files in subfolder)
- {USB_volume}:AVASTProtection for Autorun (Including files in subfolder)
- {USB_volume}:SMADAVSMADAV (Including files in subfolder)
This thread creates the mutex, USB_NOTIFY3_COP_{USB_volume}, for mark. There are two kinds of stealing conditions, each of which we discuss here:
If the connection succeeds in connecting to https://www.microsoft.com/, it will check the file extensions in these predefined folders:
- {USB_volume}:KasperskyUsb Drive1.0
- {USB_volume}:Usb Drive1.0
- {USB_volume}:.SystemDeviceUSB3.0KasperskyUsb Drive1.0
- {USB_volume}:.SystemDeviceUSB3.0Usb Drive1.0
If the file extensions are not .cmd, .bat, or .dll and the file name is not RECYCLERS.BIN, it will transfer the file to %userprofile%AppDataRoamingRender1.0 and empty the content of the original file.
We also found another functionality, but it seems that it has not been implemented as of this writing. This functionality collects all files under the same folders and looks for the files with the following extensions:
- .doc
- .docx
- .ppt
- .pptx
- .xls
- .xlsx
Afterward, it will encode the file name with base64, encrypt the file content, and copy the file to the folder of the current process.
Here is the XOR algorithm to encrypt the stolen files:
encrypted_contents = []
encrypted_key = 0x6D
for i in range(len(contents)):
encrypted_contents.append(contents[i] ^ encrypted_key)
encrypted_key += 0xAA
If the connection fails, the thread checks the value in registry (HKCU|HKLM)SystemCurrentControlSetControlNetworkVersion, which does not exist. Afterward, it creates and executes the batch script %temp%edg{value of QueryPerformanceCounter}.bat to collect the information of the victim.
%comspec% /q /c systeminfo >”%~dp0AE353BBEB1C6603E_E.dat”
%comspec% /q /c ipconfig /all >>”%~dp0AE353BBEB1C6603E_E.dat”
%comspec% /q /c netstat -ano >>”%~dp0AE353BBEB1C6603E_E.dat”
%comspec% /q /c arp -a >>”%~dp0AE353BBEB1C6603E_E.dat”
%comspec% /q /c tasklist /v >>”%~dp0AE353BBEB1C6603E_E.dat”
del %0
The output data will then be encrypted and dropped to {USB_volume}:Usb Drive1.0 {value of SOFTWARECLASSESms-puCLSID}.dat.
This thread creates the mutex, USB_NOTIFY_BAT_H3_{USB_volume} for mark, which will be executed only under these conditions:
- When connection with https://www.microsoft.com fails
- When there is no value in System\CurrentControlSet\Control\Network\version (this registry is enabled when argument of cmd line = “-net”)
The thread will search all batch scripts inside the following folders:
- {USB_volume}:Usb Drive1.0p
- {USB_volume}:KasperskyUsb Drive1.0p
- {USB_volume}:.SystemDeviceUSB3.0Usb Drive1.0p
If the batch script name does not contain the strings tmpc_ or tmp_, the script will be decrypted via XOR algorithm, which is the same as the file encryption in the thread 2 subsection. The new batch will then be created in %temp%{value of QueryPerformanceCounter}.bat and executed by ShellExecuteW with the following contents:
{USB_volume}
cd “{USB_volume}:target folder”
{decrypted contents in batch file}
del %0
DOPLUGS backdoor behavior (Command and Control)
This behavior is the same as the original piece of DOPLUGS malware and is responsible for C&C communication, backdoor commands, and downloading the next-stage general type of the PlugX malware.
The following command line is executed to set up scheduled tasks to enable Wi-Fi connection:
- cmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn “Security WIFI Script” /tr “netsh interface set interface “””Wireless Network Connection””” enabled” /ru SYSTEM /F&schtasks.exe /run /tn “Security WIFI Script”
- cmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn “Security WIFI2 Script” /tr “netsh interface set interface “””Wireless Network Connection 2″”” enabled” /ru SYSTEM /F&schtasks.exe /run /tn “Security WIFI2 Script”
- cmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn “Security WIFI3 Script” /tr “netsh interface set interface “””Wireless Network Connection 3″”” enabled” /ru SYSTEM /F&schtasks.exe /run /tn “Security WIFI3 Script”
Old variant
In addition to DOPLUGS, we hunted down several customized PlugX malware samples that are also equipped with the KillSomeOne module. Based on our investigation, this integration would have been active for three years, with the report published by Avira being the first to reveal this technique. The sample mentioned in Avira’s report is the first PlugX variant with the KillSomeOne module designed for spreading via USB.
The following table is a list of different PlugX malware types with integrate KillSomeOne variants:
About Author
