Researchers Believe a 'Virus Expert' Called whg0001 is Behind PlugX RAT Malware

PlugX is a form of malware that exploits a legitimate process or application, remote access and assistance provided by IT personnel who troubleshoot or perform system maintenance. A RAT (malicious Remote Assistance Tool) is used by hackers to secretly gain remote control of an infected system and perform whatever the compromised user level allows, i.e. edit the Registry, delete files, upload or download files, etc., and even add the system to a botnet so the resources can be used to partake in a DNS strike.

As you can imagine, PlugX is not the only RAT (malicious Remote Assistance Tool) out in the wild. Tracing the invisible footprints malware makers and cybercriminals as a whole leave behind often lead no where. But thanks to a lot of hard work and endless hours, Jaime Blasco, a lab manager at AlienVault, a security firm, was not only able to connect PlugX to a username but also the face behind it. Blasco extracted the debug file path from several PlugX binaries and matched it up with other PlugX samples to uncover commonalities, for starters the user name of 'whg.' The samples indicated the author used separate systems for his work.

Blasco took it a step further and scanned for additional binary files, leading him to a Chinese application called SockMon sourced at cnasm(dot)com. It was here that Blasco connected 'whg0001' to someone being identified as a virus expert. The Chinese website offered up an email address in which Blasco used to challenge the accused but without any response. Additional research uncovered 'whg001' as administrative contact for another Chinese website back in 2000, under company name of Chinansl Technology Co., Ltd. Surprising is that this company, Chinansl, has ties to the security industry in China. Blasco stumbled upon a CSDN profile of 'wgh0001' and was able the photo and username to several versions of PlugX, so it is safe to say this virus expert using the identity of 'whg001' is co-creator of RAT PlugX.

Most malicious attacks are done in the dark or behind an anonymous identity, such as hacktivists groups who many times are associated with anti-authority ethics. Malware makers and cybercriminals alike pride themselves on anonymity. So how come Blasco was able to out-pawn a noted virus expert? Could it be possible he uncovered a vulnerability or zero-day exploit in how 'wgh0001' imprinted his malicious projects?

Cybercrime is a billion-dollar industry fueled mostly by greed and continues to play out like a well-played game of chess. It is methodical and has long range that demands endurance as well as a strategic and tactical mindset. The more educated you are about malware and strategies being employed, the better your chances of making the right move to defend against attacks and guard what is rightfully yours – your data, hardware, and right to use the Internet without breach.

Cybercriminals exploit programming and legitimate practices, and study human behavior (aka social engineering) to learn ways to target and deceive victims (technology users). The best defense is collaboration of Internet security community, software and hardware developers, and you, the end-user. If we work together, we can minimize the threat potential, and at a minimum, mitigate the impact. Studies show that most malicious attacks occur at the hands of victims who simply click too fast on booby-trapped links before verifying the communication's source.

A website owner may not realize his or her site is compromised and housing a Trojan downloader, meaning you, the visitor, will too be left in the dark. Therefore, the only way to guard against drive-by downloads on compromised websites is by keeping your system guarded with a stealth anti-malware solution that scans and blocks malicious downloads. In this day in age of evolving technology being matched with malicious intent, you simply cannot afford not to join the fight against cybercrime, well, not unless you are ready to give up what have become staples in our lives: cell phone, computers, Internet, digital notebook, etc. Face it, cybercrime is a reality and we all need to better guard and protect our intellectual properties.