Threat Database Trojans Troj/Plugx-G


By Domesticus in Trojans

Threat Scorecard

Threat Level: 50 % (Medium)
Infected Computers: 3
First Seen: February 28, 2013
Last Seen: May 11, 2020
OS(es) Affected: Windows

Troj/Plugx-G is a dangerous backdoor Trojan that has been involved in high profile attack that uses advanced techniques to trick security software in order to protect itself from detection and removal. For all intents and purposes, the Troj/Plugx-G Trojan has little to set Troj/Plugx-G apart from typical backdoor Trojan attacks. However, Troj/Plugx-G uses social engineering tactics that target pro-Tibet activists and some self-defense tactics that have captures the attention of security analysts. This version of Troj/Plugx-G uses several protective layers in order to trick anti-malware software. One of these protective layers makes security software believe that Troj/Plugx-G is a signed, legitimate Nvidia application!

How a Malicious Document Installs the Troj/Plugx-G Backdoor on a Victim’s Computer

The Troj/Plugx-G infection process is anything but straightforward. This complicated process has caught the attention of PC security researchers. According to malware analysts, Troj/Plugx-G takes advantage of a known security vulnerability, executes malicious code in two stages and takes advantage of a legitimate application in order to attack a computer user. The initial attack begins with a malicious RTF document that uses a popular vulnerability known as CVE-2012-0158. This malicious RTF document contains an embedded OLE document which takes advantage of the well-known Listview vulnerability. The basic steps in this kind of attack are the following:

  1. A malicious RTF document uses the vulnerability mentioned above to execute malicious code.
  2. This malicious code executes a malicious executable file that is extracted from the malicious file.
  3. This executable installs a backdoor on the victim's computer which can then be used to deliver other malware and spy on the infected computer.

The Twists Involved in the Installation of Troj/Plugx-G

One interesting aspect of the Troj/Plugx-G attack is that Troj/Plugx-G uses two stages of malicious code, making it more difficult for PC security researchers to study and for anti-malware programs to detect. Opening the malicious RTF file in Microsoft Office triggers the malicious code. However, this malicious code does not install Troj/Plugx-G. Rather, it directs to a second stage of executable code that is hidden deeply in the malicious RTF file. PC security researchers studying the Troj/Plugx-G attack pattern have stumbled upon clever obfuscation techniques deliberately placed in this document to make it more difficult for computer security analysts do understand what is going on. This involves a clever decoy ZIP file and various layers of encryption. Despite this attack's sophistication, the Troj/Plugx-G infection can still be avoided by simply refusing to open unsolicited email attachments and following basic online safety guidelines.

SpyHunter Detects & Remove Troj/Plugx-G

File System Details

Troj/Plugx-G may create the following file(s):
# File Name MD5 Detections
3. %ALLUSERPROFILES%\SxS\NvSmartMax.dll.url
4. hccutils.dll 2910076a244e57de342b1f080c8e50a9 0
5. 404adf544ab649fb006c89ab2559f434 404adf544ab649fb006c89ab2559f434 0
6. NvSmartMax.dll d659d95d46f71f172cd4f2aca9532949 0
7. 3f14943619aa18785f42549e80ae73e4 3f14943619aa18785f42549e80ae73e4 0


Most Viewed