Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Tibet Trojan attacks connected to Chinese programmer

Has AlienVault uncovered origins of PlugX Trojan?

Article comments

Security firm AlienVault thinks it has identified a key Chinese programmer with connections to the Chinese Government who could be behind a long-running malware assault on pro-Tibet campaigners, including with the recent PlugX RAT Trojan.

It’s extremely rare that security companies are able to put a name and a face to specific pieces of malware so the connection it stumbled upon when researching PlugX could attract some attention.

While researching PlugX’s binaries, the company started noticing similarities in some of the software’s debug paths.

Searching for similar debug paths in the User folder, the firm noticed the same ‘whg’ subfolder in a program called SockMon distributed from a named domain connected to a company, [name deleted].com Technology Ltd that had published security vulnerabilities in the past.

The domain contact info turned out to be for a Chengdu-located security company. ‘Whg’ turned out to work for the company with references to which described him as “Virus expert. Profcient in assembly.”

“At this point you can be thinking we cannot accuse whg of being related to the Xplug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?,” AlienVault said.

“With the information we have, we can say that this guy is behind the active development of the Xplug RAT and he probably has some inside on the operations since this path.”

AlienVault also found web references, including referenced Wikipedia entries mentioning a ‘WHG’, as being connected to a string of important Chinese hacker attacks stretching back some years, including the infamous Titan Rain from 2007. A source named the sponsor of the WHG’s company as being the PLA.

The connection of WHG’s company to the PLA is built on circumstantial evidence but the coincidences are still unsettling. We should make clear that the connection is unproven and remains an allegation.

The PlugX RAT, meanwhile, has been used in attacks in Asia but also against pro-Tibet campaigners, exploiting Java vulnerabilities and digital certificates that let it masquerade as legitimate driver files.

Trend Micro reckons that PlugX is part of a longer-running campaign that has been around since early 2008 and probably takes in remote access Trojans including this year’s Poison Ivy.

The modus operandi is also very similar to the Gh0st RAT attacks. All of these campaigns have a theme of attacking pro-Tibet campaigners and are widely assumed to be connected to the Chinese Government in some way.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *