Unpacking the spyware disguised as antivirus

[JMH]

Recently we got access to several elements of the espionage toolkit that has been captured attacking Vietnamese institutions. During the operation, the malware was used to dox 400,000 members of Vietnam Airlines.

The payload, distributed disguised as antivirus, is a variant of Korplug RAT (aka PlugX) – a spyware with former associations with Chinese APT groups, and known from targeted attacks at important institutions of various countries.

In this article we will describe the process of extracting the final payload out of it’s cover.

Analyzed samples

Set #1:

• 884d46c01c762ad6ddd2759fd921bf71 – McAfee.exe (harmless: reference)
• c52464e9df8b3d08fc612a0f11fe53b2 – McUtil.dll (shellcode loader)
• 28f151ae7f673c0cf369150e0d44e415 – McUtil.dll.mc – shellcode
  • 321a2f0abe47977d5c8663bd7a7c7d28 – unpacked payload (DLL)

Execution flow:

McAfee.exe -> McUtil.dll -> McUtil.dll.mc -> payload (DLL)

https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/