Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150807-254-CI-2015 Plu
g
X7
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 07 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report discusses a variant of PlugX a previously reported remote access
tool (RAT). This RAT abuses perfectly valid signed binaries to perform the attack. It is also
stated that it has the ability to defeat UAC in Windows 7.
(S//NF) It is assumed in the report that this PlugX variant is delivered as embedded archive
inside a PDF or Office document. When the archive extracts, one of the files is a signed file
taken from a software bundle from McAfee. This McAfee file is bundled with a custom DLL
which McAfee does not check for validity. This DLL then executes resulting in code being
loaded and executed in memory which not detected by virus scanners at the time of this report.
When running under Window 7 this PlugX variant is described as defeating UAC however no
further details are provided.
(S//NF) Once the RAT is fully up and running it communicates with C&C servers over port 443
and provides typical PlugX capabilities such as disk functions, screen capture, remote desktop,
shell, telnet, registry edit, etc. The RAT maintains persistency through the use of registry keys or
optionally installing as a service.
(S//NF) Unfortunately this report did not detail the mechanism whereby UAC is defeated.
However, the successful technique of loading a custom DLL from a signed McAfee executable is
worthy of a POC. We recommend the custom DLL loading from a signed McAfee executable be
developed as a PoC. However, prior to assigning this as an official PoC project, we recommend
research be conducted to ensure the technique hasn’t been patched and is still viable.
2.0 (U) Description of the Technique
(S//NF) The technique mentioned uses a signed McAfee executable to load a custom DLL
without detection.
3.0 (U) Identification of Affected Applications
(U) Windows
4.0 (U) Related Techniques
(S//NF) Remote Access Tool and covert DLL loading.
5.0 (U) Configurable Parameters
(U) None
6.0 (U) Exploitation Method and Vectors
(S//NF) This PlugX variant is assumed to be delivered via a malicious attachment. The machine
is then exploited by loading a custom DLL from a valid signed executable.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh