Has AlienVault uncovered origins of PlugX Trojan? Security firm AlienVault thinks it has identified a key Chinese programmer with connections to the Chinese Government who could be behind a long-running malware assault on pro-Tibet campaigners, including with the recent PlugX RAT Trojan. It’s extremely rare that security companies are able to put a name and a face to specific pieces of malware so the connection it stumbled upon when researching PlugX could attract some attention.While researching PlugX’s binaries, the company started noticing similarities in some of the software’s debug paths.Searching for similar debug paths in the User folder, the firm noticed the same ‘whg’ subfolder in a program called SockMon distributed from a named domain connected to a company, Chinansl.com Technology Ltd that had published security vulnerabilities in the past. The domain contact info turned out to be for a Chengdu-located security company. ‘Whg’ turned out to work for the company with references to which described him as “Virus expert. Pro?cient in assembly.”“At this point you can be thinking we cannot accuse whg of being related to the Xplug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?,” AlienVault said. “With the information we have, we can say that this guy is behind the active development of the Xplug RAT and he probably has some inside on the operations since this path.”AlienVault also found web references, including referenced Wikipedia entries mentioning a ‘WHG’, as being connected to a string of important Chinese hacker attacks stretching back some years, including the infamous Titan Rain from 2007. A source named the sponsor of the WHG’s company as being the PLA.The connection of WHG’s company to the PLA is built on circumstantial evidence but the coincidences are still unsettling.The PlugX RAT, meanwhile, has been used in attacks in Asia but also against pro-Tibet campaigners, exploiting Java vulnerabilities and digital certificates that let it masquerade as legitimate driver files.Trend Micro reckons that PlugX is part of a longer-running campaign that has been around since early 2008 and probably takes in remote access Trojans including this year’s Poison Ivy.The modus operandi is also very similar to the Gh0st RAT attacks. All of these campaigns have a theme of attacking pro-Tibet campaigners and are widely assumed to be connected to the Chinese Government in some way. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe