Executive Summary
JTB Corp. (JTB), a well-known travel agency in Japan announced on June 14, 2016 that it had experienced a massive data leak upon an attack targeting its servers. Initial reports indicate that 7.93 million people using JTB to book trips may have had their personal booking data exposed. The leaked data contained sensitive personal information to include customers’ names, addresses, and email accounts. Additionally, the local media outlet Japan Times, stated that passport information was also leaked in the attack disclosing more than 4,300 valid passport numbers.
The official announcement revealed that the source of the attack was a targeted email phishing campaign which consisted of an JTB employee opening an email attachment that included a particularly stealthy trojan known as PlugX that was then executed and spread throughout the network to infiltrate the company’s database system.
This attack vector was a standard phishing campaign were the attacker sends an email to the target with an attachment that includes a trojan or strain of malware from a particular malware family. The victim is then tricked into opening the attachment and thus executes and deploys the trojan infecting the host computer and potentially the entire network infrastructure. The following diagram identifies the standard campaign process:
What Is PlugX?
PlugX is a multi-function remote access trojan (RAT) that can trace back to at least 2012 and is often bundled with many legitimate applications. Moreover, PlugX can permit for the following nefarious functions: keystroke logging, screen capture, web operation, port listening, disk information acquisition, and database information theft.
PlugX Deployment Analysis
The sample can be started as a service named Quest Software Service or as an automatic startup item after being configured in the registry. In the sample, the HTTP, TCP, UDP, and ICMP protocols are used for data transmission. The HTTP and UDP protocols are first used for sending data to the specified IP address. When the connection fails, the UDP protocol is used instead. The sent data includes cipher-text information and plain-text information.
Additionally, the PlugX permits for acquiring information such as computer name, user name, CPU information, user token, memory information, operating system, and system time. Such information is compressed and sent in encrypted manner. After the connection is successfully established, the data is received in compressed format (decrypted by using a decompression function), and then returned as commands to implement functions (information returned by the commands varies with directives). The analysis is as follows.
Started as a service:
Configured as an automatic startup item:
Use of different communication protocols:
Configuring a keyboard hook:
Network IP address and domain information:
Creating a service:
Checking whether administrative privileges are available:
Obtaining the keyboard type:
Detection result by NSFOCUS TAC (Threat Analysis Center):
NSFOCUS Solution for Removing Trojans
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services, NIPS, and TAC). This service can immediately eliminate the risk points within the network, control the impact, and provide an analysis report.
- Mid-term service: NSFOCUS provides risk monitoring and preventive maintenance inspection (PMI) services for 3–6 months (NIPS, TAC, and manual services). This service can eradicate risks and ensure that the event does not recur.
- Long-term service: NSFOCUS provides risk solutions for the fund industry (threat intelligence, attack tracing, and professional security services).