PlugY

Malware updated a month ago (2024-11-29T14:49:40.688Z)
Download STIX
Preview STIX
PlugY is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Our analysis of samples of the PlugY implant and the DRBControl backdoor revealed that these two samples have the exact same architecture. This suggests a potential link between the two, as they might be developed or used by the same threat actors. The PlugY implant is delivered using the CloudSorcerer backdoor, which launches a process named msiexec.exe for each user signed into the OS and creates named pipes with the name template \.\PIPE\Y. This implant uses a unique malicious library to communicate with its command and control (C2) server via UDP. It supports multiple commands and uses three different protocols for C2 communications, making it a versatile tool in the hands of attackers. Recent attacks have seen this malware deployed alongside other tools such as the GrewApacha Backdoor in a campaign known as EastWind, targeting Russian government and IT organizations. The adversary has been using the CloudSorcerer backdoor to manually download PlugY, an implant with code that overlaps with APT27, indicating a possible connection with this Advanced Persistent Threat group. This overlap and the use of previously undetected malware underscore the sophistication and ongoing evolution of these cyber threats.
Description last updated: 2024-10-17T11:55:47.302Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cloudsorcerer is a possible alias for PlugY. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early
3
APT27 is a possible alias for PlugY. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the PlugY Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more