PlugY

Malware updated a month ago (2024-10-17T12:04:35.227Z)

Download STIX

Preview STIX

PlugY is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Our analysis of samples of the PlugY implant and the DRBControl backdoor revealed that these two samples have the exact same architecture. This suggests a potential link between the two, as they might be developed or used by the same threat actors. The PlugY implant is delivered using the CloudSorcerer backdoor, which launches a process named msiexec.exe for each user signed into the OS and creates named pipes with the name template \.\PIPE\Y. This implant uses a unique malicious library to communicate with its command and control (C2) server via UDP. It supports multiple commands and uses three different protocols for C2 communications, making it a versatile tool in the hands of attackers. Recent attacks have seen this malware deployed alongside other tools such as the GrewApacha Backdoor in a campaign known as EastWind, targeting Russian government and IT organizations. The adversary has been using the CloudSorcerer backdoor to manually download PlugY, an implant with code that overlaps with APT27, indicating a possible connection with this Advanced Persistent Threat group. This overlap and the use of previously undetected malware underscore the sophistication and ongoing evolution of these cyber threats.

Description last updated: 2024-10-17T11:55:47.302Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cloudsorcerer is a possible alias for PlugY. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early	3
APT27 is a possible alias for PlugY. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the PlugY Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
Securelist	3 months ago	EastWind campaign distributes CloudSorcerer and two APT tools
Securityaffairs	3 months ago	EastWind campaign targets Russian organizations with sophisticated backdoors