Categories: SecurityWorkspace

IT Executive Revealed As PlugX RAT Malware Creator

Security experts at AlienVault have tracked down the creator of the PlugX Remote Access Tool (RAT), used in hacker attacks around the world. To their surprise, the brains behind the software was actually one of the directors of a Chinese IT company.

The sleuths analysed the traces of PlugX activity, and identified the suspected programmer, which led them to his address, photo and the name of the company he was working for – ChinaNSL Technology.

Digital detective work

AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence.

Malware builder known as “whg”

PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer.

The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations. The security experts were almost certain that the creator of the malware has been participating in the attacks himself.

Over time, PlugX has been changing and adding capabilities, and there were several versions spotted around the Web. When comparing binaries of these versions, AlienVault found several instances of debug paths containing user name “whg”, and traces of another low-key hacking tool called SockMon.

A quick investigation of the cnasm.com website on which SockMon is hosted (located in China) yielded an email address: whg0001@163.com, which seemed to coincide with the user name found in the debug path of the RAT samples.

The researcher team then discovered that in 2000, the same email address was used as the administrative contact of the domain chinansl.com. The domain was registered to a representative of the ChinaNSL Technology with offices in Chengdu, Sichuansheng, China.

As it turned out,  ChinaNSL Technology is a cybersecurity company employing “whg”. AlienVault has found references to his work online, describing him as a “virus expert proficient in assembly”. A forum post which looks like a hacker directory says that “whg” “wrote a lot of software”, and identifies cnasm.com as his homepage.

This information led AlienVault to the suspect’s forum profile with a picture. Finally, the team confirmed that “whg” was responsible for PlugX after finding a link to his Baidu profile deep within a more recent version of the malware tool.

After the company published its findings, “whg” cleared his Baidu account. It is safe to assume his reputation would be damaged, but it is yet unclear if the law enforcement agencies will get involved.

Can you look after your personal data online? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

11 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

13 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

15 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

16 hours ago