(Re)Build PlugX
After digging, i success to rebuild PlugX (from tria.ge and VT).
You can find it here
Of course, you known the password (If you forget the password ask vx-underground <3).
There is all necessary information in the archive.
You can also find some query (and sources) for censys to hunt PlugX C2.
PlugX has 3 pieces :
- X3AVAST.exe is the controller (understand Server).
- X2(make).exe is the builder, you should get a binary name m.exe, this is the implant.
- FastProxy.exe is part of the controller and need to be launch apart.
- First DON’T RENAME IT - and put everything in the same folder.
- eg : FastProxy.exe $PID $EXTERNAL_PORT $INTERNAL_PORT TCP/UDP/WHATEVER
- PID is indicate on X3AVAST.exe when you try to launch a Listener.
Hunting - PlugX (Censys) -⌗
- Default port : 12345 (80,443,8080,53 …)
- Apache : 1.3.27
- Body :
**The Page You Requested Was Not Found!** - Body hash : sha1:b392fad64410226b6728344a8bf6b834b6cfbc81
- Status : 404
- Folder :
data/computers
https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=b392fad64410226b6728344a8bf6b834b6cfbc81
https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.port%3D%2212345%22+and+%28services.http.response.headers%3A+%28key%3A+%60Server%60+and+value.headers%3A+%60Apache+1.3.27%60%29%29
Source -⌗
- https://hunt.io/blog/legacy-threat-plugx-builder-controller-discovered-in-open-directory
- https://logrhythm.com/blog/deep-dive-into-plugx-malware/
- https://www.cyber.airbus.com/plugx-v2-meet-scontroller/
- https://www.cyber.airbus.com/latest-changes-plugx/
And many other.
I’m sure, you’ll appreciate it ;)
송소미