KNOWLEDGE SERIES

We record all our sessions so that you can watch at your convenience

SIDELOADING: (NOT) DEAD AND LOVING IT. SO IT PLUGX

09 May 2023 | 5:30 PM SGT

Sideloading: (not) dead and loving it. So is Plugx

Szappanos Gabor
Director, Threat Research
Sophos

He graduated from the Eotvos Lorand University of Budapest with degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants.

He started antivirus work in 1995, and has been developing freeware antivirus solutions in spare time.

He joined VirusBuster in 2001 where he was responsible for taking care of macro virus and script malware. Since 2002 he was the head of the virus lab.

Between 2008 and 2015 he was a member of the board of directors in AMTSO (Anti Malware Testing Standards Organizations). In 2012 he joined Sophos where he works as a Threat Research Director.

DLL side loading is an old technique, used to be the favourite of Chinese APT groups. The most prolific payload was the infamous Plugx backdoor.
But this is an old story, well covered by a lot of publication all over the industry. Surely, the APT groups must have switched to new shiny deployment methods and payloads, right?

One thing you learn if you stick long enough in this industry is, that perpetrators don’t just give up on techniques that work. Even if they do, after a wihle, these tools and techniques come back a few years later.

The presentation will cover two types of incidents that used DLL side loading in 2022 and 2023.

The first is the case of side loading USB worms. We found a variant of Plugx, and another payload that we tagged it as Worm Circus. Both have USB worm functionality, also data exfiltration method. In addition to that, these are susceptible to worm mating, picking up pieces of other, totally unrelated USB worms. This, as expected, did lead to attribution hickups. We will talk about the technical details and the related problems.

The second case used SEO poisoning to deliver trojanized version of Chinese applications (most notably Telegram), packaged with various backdoors as payload. We believe there are multiple threat actors that use this method targeting victims in Asia. These campaigns have not been analized in detail in publications, the presentation will cover the infection and execution mechanism used there.