IT Executive Revealed As PlugX RAT Malware Creator

AlienVault identified the suspect by traces of his personal information scattered online

Security experts at AlienVault have tracked down the creator of the PlugX Remote Access Tool (RAT), used in hacker attacks around the world. To their surprise, the brains behind the software was actually one of the directors of a Chinese IT company.

The sleuths analysed the traces of PlugX activity, and identified the suspected programmer, which led them to his address, photo and the name of the company he was working for – ChinaNSL Technology.

Digital detective work

AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence.

Malware builder known as “whg”

PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer.

The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations. The security experts were almost certain that the creator of the malware has been participating in the attacks himself.

Over time, PlugX has been changing and adding capabilities, and there were several versions spotted around the Web. When comparing binaries of these versions, AlienVault found several instances of debug paths containing user name “whg”, and traces of another low-key hacking tool called SockMon.

A quick investigation of the cnasm.com website on which SockMon is hosted (located in China) yielded an email address: whg0001@163.com, which seemed to coincide with the user name found in the debug path of the RAT samples.

The researcher team then discovered that in 2000, the same email address was used as the administrative contact of the domain chinansl.com. The domain was registered to a representative of the ChinaNSL Technology with offices in Chengdu, Sichuansheng, China.

As it turned out,  ChinaNSL Technology is a cybersecurity company employing “whg”. AlienVault has found references to his work online, describing him as a “virus expert proficient in assembly”. A forum post which looks like a hacker directory says that “whg” “wrote a lot of software”, and identifies cnasm.com as his homepage.

This information led AlienVault to the suspect’s forum profile with a picture. Finally, the team confirmed that “whg” was responsible for PlugX after finding a link to his Baidu profile deep within a more recent version of the malware tool.

After the company published its findings, “whg” cleared his Baidu account. It is safe to assume his reputation would be damaged, but it is yet unclear if the law enforcement agencies will get involved.

Can you look after your personal data online? Take our quiz!