Korplug military targeted attacks: Afghanistan & Tajikistan

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one, related to Afghanistan & Tajikistan. The other campaign, where the targets were a number of high-profile organizations in Russia, will be the subject of Anton Cherepanov’s presentation at the ZeroNights security conference in Moscow this week.

Sometimes malware used in various attacks is unique enough to identify related incidents, which makes tracking individual botnets simpler. An example is the BlackEnergy Lite variant (also known as BlackEnergy 3) used by a group of attackers (that was then given the name Quedagh, or Sandworm) against targets in Ukraine and other countries. BlackEnergy Lite is clearly distinguishable from the numerous binaries of the more common BlackEnergy 2 also circulating in-the-wild.

In other cases, attackers use more common tools for accomplishing their criminal goals. For example, the Korplug RAT (a.k.a .PlugX) is a well-known toolkit associated with Chinese APT groups and used in a large number of targeted attacks since 2012. For the past several weeks we have taken a closer look at a great number of detections of this malware in many unrelated incidents.

Among these, we were able to discover several successful infections where the employed Korplug samples were connecting to the same C&C domain.

DOMAIN: www.notebookhk.net
Updated Date: 2013-11-12 18:03:45
Create Date: 2013-06-18 11:08:17
Registrant Name: lee stan
Registrant Organization: lee stan
Registrant Street: xianggangdiqu
Registrant City: xianggangdiqu
Registrant State: xianggang
Registrant Postal Code: 796373
Registrant Country: HK
Registrant Phone : +0.04375094543
Registrant Fax: +0.04375094543
Registrant Email:stanlee@gmail.com

Other Korplug samples were connecting to a different domain name resolving to the same IPs as notebookhk.net:

DOMAIN: www.dicemention.com
Updated Date: 2013-11-12 18:05:33
Create Date: 2013-09-10 14:35:11
Registrant Name: z x
Registrant Organization: z x
Registrant Street: xianggangdiqu
Registrant City: xianggangdiqu
Registrant State: xianggang
Registrant Postal Code: 123456
Registrant Country: HK
Registrant Phone : +0.0126324313
Registrant Fax: +0.0126324313
Registrant Email: 123@123.com

DOMAIN: www.abudlrasul.com
Updated Date: 2014-10-16 14:16:27
Create Date: 2014-10-16 14:16:27
Registrant Name: gang xin
Registrant Organization: gang xin
Registrant Street: Argentina Argentina
Registrant City: Argentina
Registrant State: Argentina
Registrant Postal Code: 647902
Registrant Country: AR
Registrant Phone : +54.0899567089
Registrant Fax: +54.0899567089
Registrant Email: woffg89@yahoo.com

Taking these C&Cs as a starting point, we were able to locate a number of victims infected through various exploit-laden spear-phishing documents and cunningly-named archives.

A table with a selection of RTF documents and RAR self-extracting archives with a .SCR extension is shown below:

File nameEnglish translationSHA1
Situation Report about Afghan.doc36119221826D0290BC23371B55A8C0E6A84718DD
План деятельности соединений и воинских частей Приволжского региона на июль 2014 г.scrActivity plan for military units in the Volga region in July 2014EA6EE9EAB546FB9F93B75DCB650AF22A95486391
телефонный справочник структуры МИД КР .scrTelephone directory of the Ministry of Foreign Affairs of the Kyrgyz RepublicD297DC7D29E42E8D37C951B0B11629051EEBE9C0
О Центре социальной адаптации военнослужащих.scrAbout the Center for social adaptation of servicemen8E5E19EBE719EBF7F8BE4290931FFA173E658CB8
Протокол встречи НГШ КНР.scrMeeting minutes of the General Staff of the PRC1F726E94B90034E7ABD148FE31EBA08774D1506F
исправленный шаблон плана мероприятий.scrCorrected action plan templateA9C627AA09B8CC50A83FF2728A3978492AEB79D8
Situation Report about Afghan.scrA9C627AA09B8CC50A83FF2728A3978492AEB79D8
Военно-политическая обстановка в ИРА на04.10.2014.scrMilitary and political situation in Islamic Republic of Afghanistan (IRA) on 04.10.2014E32081C56F39EA14DFD1E449C28219D264D80B2F
Afghan Air Force.scrE32081C56F39EA14DFD1E449C28219D264D80B2F
план мероприятий.scrAction plan1F726E94B90034E7ABD148FE31EBA08774D1506F

Some of the above-mentioned files also contained decoy documents:

Decoy document

In all of the cases, three binary files were dropped (apart from decoy documents) that led to the Korplug trojan being loading into memory.


  • exe – a legitimate executable with a Kaspersky digital signature that would load a DLL with a specific file name
  • dll – a small DLL loader that would pass execution to the Korplug raw binary code
  • dll.avp – raw Korplug binary

The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.

The maliciously crafted documents are RTF files that successfully exploit the CVE-2012-0158 vulnerability in Microsoft Word. The image below shows the beginning of the CVE-2012-0158 shellcode in ASCII encoding within the document (the opcodes 60, 55, 8bec disassemble to pusha; push ebp; mov ebp, esp).

Final pic

Interestingly, though, the documents also contain the newer CVE-2014-1761 exploit that was extensively used in targeted attacks carried out by a number other malware families this year (including BlackEnergy, Sednit, MiniDuke, and others). However, this exploit is not implemented correctly due to a wrong file offset in the 1st stage shellcode.

Below we see the disassembly of the 1st stage shellcode where it checks the presence of the tag “p!11” marking the beginning of the 2nd stage shellcode and loads it into memory. Even though the tag and 2nd stage shellcode is present in the RTF, it’s at a different offset, and thus never is loaded.


Sophos’ Gabor Szappanos gives a possible explanation how these malformed samples may have come into existence.

ESET LiveGrid telemetry indicates that the attacks against these targets have been going on since at least June 2014 and continue through today.

We were able to pinpoint the targets to residents of the following countries:

  • Afghanistan
  • Tajikistan
  • Russia
  • Kyrgyzstan
  • Kazakhstan

From the topics of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects.

Interestingly, most of the affected victims have another thing in common – a number of other RATs, file stealing trojans or keyloggers were detected on their systems on top of the Korplug RAT detection. One of these ‘alternative RATs’ was connecting to a domain also used by the Korplug samples.

Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish.

Additional information about two malware families that were most often found accompanying Korplug infections is given below.

Alternative Malware #1: DarkStRat

A curious Remote Access Trojan, as research points to a Chinese connection but the commands it listens to are in Spanish (translation in English):

  • CERRAR (close)
  • DESINSTALAR (uninstall)
  • SERVIDOR (server)
  • INFO
  • PING
  • PROC
  • VERUNIDADES (see units)
  • LISTARARCHIVOS (list files)
  • EXEC
  • CAMBIOID (change ID)
  • SERVICIOSLISTAR (list service)
  • INICIARSERVICIO (start service)
  • DETENERSERVICIO (stop service)
  • BORRARSERVICIO (erase service)
  • INSTALARSERVICIO (install service)

The malware can manage processes and services on the infected machine, transfer files to and from the C&C server, run shell commands, and so on. It is written in Delphi and connects to www.dicemention.com. Some samples contain a digital signature by “Nanning weiwu Technology co.,ltd”.

Alternative Malware #2: File Stealer

This malware, written in C, and contains several functions for harvesting files off the victim’s hard drive according to criteria set in the configuration file. Apart from doing a recursive sweep of all logical fixed and remote drives, it also continually monitors any attached removable media or network shares by listening to DBT_DEVICEARRIVAL events.

In addition to collecting files, the malware attempts to gather saved passwords, history of visited URLs, account information and proxy information from the following applications:

  • Microsoft Messenger
  • Microsoft Outlook
  • Microsoft Internet Explorer
  • Mozilla Firefox

The C&C domains used by this malware are:

  • newvinta.com
  • worksware.net

Some samples of this file stealer detected in these campaigns also contain the signature by “Nanning weiwu Technology co.,ltd” – another indicator that the infections are related.

List of SHA1 hashes:



Alternative Malware #1:


Alternative Malware #2:


Research by: Anton Cherepanov

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center