A Closer Look at PlugX from League of Legends / Path of Exile

If you didn't catch the headlines, last week it was reported at HITCON (Hacks in Taiwan Conference) that official releases of the game "League of Legends" and "Path of Exile" in Asia came with an added surprised - PlugX malware. Since this is malware often associated with advanced persistent threat attacks and not random online crime I thought it might be interesting to search out a sample of this and run it to get a few more details on what it does and who might be behind it.

Starting from the linked above article, I had the following pieces of information:

SHA1 Hashes & Filenames:

bd33a49347ef6b175fb9bdbf2b295763e79016d6 (NtUserEx.dll)
f3eabaf2d7c21994cd2d79ad8a6c0acf610bbf78 (NtUserEx.dat)
a41e31d6516dd188f2df3084e4e422129c6f20c7 (LoLTWLauncher.exe)
bb77a6d41da5f8e0f10ef29818c59349b078c3c8 (POETWLauncher.exe)

We also learn that:

The infection chain is triggered by downloading the legitimate installer or updates for the game itself. The compromised game launcher will then drop three files:

  • A legitimate game launcher
  • A “cleaner” that overwrites the compromised launcher with the legitimate one
  • A dropper installs PlugX binaries

The cleaner file could be seen as one way of covering up any traces of malicious activity. In the end, the victim will only see two malicious files, NtUserEx.dll and NtUserEx.dat (both detected as BKDR_PLUGX.ZTBL-EC).

The 3 Legs of PlugX

Having only 2 odd malicious files left tells me that the setup is probably the typical one. PlugX, as I normally see it, comes in 3 pieces, a "legitimate" binary exe file (probably the game launcher), a dll file that is loaded by the binary due to dll search order hijacking, and a 3rd encoded config file loaded by the dll. (For an in depth explanation of this and how to decrypt the setup of some versions of PlugX, see this ContextIS paper.) The 3 file setup can also be seen in most publicly submitted samples of PlugX on sites like malwr.com. Here is an example of a different PlugX submission, note the files access on the bottom.

C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\hkcmd.exe //"legitimate" binary
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\hccutils.dll //main PlugX dll
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\hccutils.dll.hcc //config file

Because we know this specific incident fits this form, we can assume that NtUserEx.dll is the typical dll part of PlugX and NtUserEx.dat is the config file, while the game executables LoLTWLauncher.exe and POETWLauncher.exe are the normal binaries that initially drop and call the dll.

Now to find a copy of the files, the easiest way to do this would be to hopefully find the initial infected launcher that drops everything and recreate an infection. Searching virustotal and malwr.com for the LolTWLauncher.exe hash fortunately brings it right up and it's available for download! We can tell this is the correct one because the file access summary shows the NtUserEx.dll/.dat files.

The malwr.com analysis also shows some useful information that we can initially look out for when we run the program. One is that the callback domain seems to be gs4.playdr2.tw which is located at either 27.255.83.46 or 202.65.214.220 depending on if you read the VT or malwr analysis. Another thing is that once launched, the execution chain on malwr seems to show rundll32.exe starting net.exe which then calls net1 start 6to4. I recognize this from previous PlugX analysis and this means there's probably a startup key in the registry for a service called 6to4 when run in XP, or called FastUserSwitchingCompatibility when run in Windows 7 (malwr.com uses Win XP VMs). PlugX (barely) hides itself this way because Windows does actually use these names for services, but PlugX picks 6to4 for XP because that is a normal Win 7 key name, and FastUserSwitchingCompatibility for Win 7 because that is an XP key, the malware authors probably just hope that if you get suspicious you will Google the name and move on. This is confirmed in the malwr.com analysis by the lines in the Registry Key section of the Quick Overview tab, I would expect persistence keys to be written here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters

Time to run the launcher in a VM and see what happens!

I used my Windows 7 Ultimate VM for running the launcher, and fortunately everything worked without any fuss. According to ProcMon the dll and dat file were written to C:\Windows\System32, however mine had a different SHA1 hash.

c77c732cd7335bfa358321409b1cb9ed5d667e63  NtUserEx.dll (Still known as same infection on VirusTotal)
1834107eace7e11263ee20806e40d7f33cc4606f  NtUserEx.dat (new)

The NtUserEx.dat upload had not been seen before by VirusTotal but was identified as malicious by 2 engines, AhnLab and Kaspersky, which labeled it as "Backdoor.Win64.Winnti.et", which gives us our first clue to attribution. WinNTI is an advanced persistent threat group known to attack the video game industry, more on that later. I also noted that the compile date on NtUserEx.dll was July 5th, 2014 at 9:46:17 UTC, way before the attack.

The startup keys were put in the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters as a value of ServiceDll = "C:\Windows\System32\NtUserEx.dll". The callbacks also started, but to not just gs2.playdr2.tw, but also to "gs3." and "gs4." all attempting to connect with TCP on ports 53, 80, 443, and 1080 using plaintext HTTP.

Here's an example of one of the callbacks which seem to be the same for all ports:

POST /update?id=01597c10 HTTP/1.1
Accept: */*
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gs4.playdr2.tw
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

So now we know the following indicators of compromise.

Network IOCs:

Traffic to:

gs2.playdr2.tw:(53,80,443,1080)
gs3.playdr2.tw:(53,80,443,1080)
gs4.playdr2.tw:(53,80,443,1080)
27.255.83.46 (IP resolved by VirusTotal)
202.65.214.220 (current IP of gs3.playdr2.tw and gs4.playdr2.tw)
192.126.118.198? (current IP of gs2.playdr2.tw)

Using plaintext HTTP on all ports with a POST request like:

POST /update?id=01597c10 HTTP/1.1
Accept: */*
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gs4.playdr2.tw
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Host IOCs:

The presence of files:

C:\Windows\System32\NtUserEx.dll with either SHA1
    c77c732cd7335bfa358321409b1cb9ed5d667e63 
    bd33a49347ef6b175fb9bdbf2b295763e79016d6
C:\Windows\System32\NtUserEx.dat with either SHA1
    1834107eace7e11263ee20806e40d7f33cc4606f
    f3eabaf2d7c21994cd2d79ad8a6c0acf610bbf78

Windows XP Registry:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Value: ServiceDll = NtUserEx.dll

Windows 7 Registry:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters
Value: ServiceDll = NtUserEx.dll

If you're curious, here's the ProcDOT visual representation of everything that happens when you run the program.
ProcDot

OSINT

We've already seen a possible identification of the WinNTI group by Kaspersky's engine, but that's just an automated analysis. Can we connect the IOCs to this group in any other way?

gs2.playdr2.tw - VirusTotal Records

2014-11-12 192.126.118.198

gs3.playdr2.tw - VirusTotal Records

2014-12-04 202.65.214.220
2014-11-12 27.255.83.46

gs4.playdr2.tw - VirusTotal Records

2014-11-21 202.65.214.220
2014-11-17 192.126.118.180
2014-11-12 27.255.83.46

Based on this, we can fairly safely conclude that these are the 3 IP addresses we need to focus on. How about domain registration info?

playdr2.tv Domain

  • VirusTotal DNS - 2014-11-14 27.255.83.46

WHOIS

Domain Name: playdr2.tw
Registrant:
Google Inc.
DNS Admin  SexnDomain@gmail.com
+65.6506234000
+1.6506188571
1600 Amphitheatre Parkway Mountain View CA 94043 US 
Kuala Lumpur, Kuala Lumpur
SG

Administrative Contact:
DNS Admin  SexnDomain@gmail.com
+65.6506234000
+1.6506188571

Technical Contact:
DNS Admin  SexnDomain@gmail.com
+65.6506234000
+1.6506188571

Domain servers in listed order:
ns37.domaincontrol.com      
ns38.domaincontrol.com      

Registration Service Provider: GoDaddy

[Provided by NeuStar Registry Gateway Services]

Since the admin email address looked like the most unique piece here, I Googled it and found this, an article by Dell SecureWorks that says SexnDomain@gmail.com was used to register a domain (7zbiz.org) used by WinNTI who they refer to as "TG-2633". In addition, the article is about another attack on the video game industry in July 2014 by a group they call "Threat Group-3279" who they pin as the "China Cracking Group" and say has "probable" links to TG-2633 (WinNTI). This lines up exactly with the video game delivery vector seen in this attack. The Dell article goes on to describe TG-3279's motivation for the July 2014 attack:

"CTU researchers believe with medium confidence that TG-3279 focuses on the collection of video game source code to crack those games for free use, to develop tools to cheat at the games, or to use the source code for competing products".

In addition, I found another article on WinNTI showing them using the address of Google for Whois data like was done above. Considering we've also seen WinNTI use PlugX in the past, I think we may have a match here, but let's continue on...

27.255.83.46

  • South Korean IP - No other known DNS records on Robtex/Malwr/V.T./URL Query

202.65.214.220

  • Chinese IP (Hong Kong)
  • Reverse DNS Hits from V.T.
    • 2015-01-24 - An "A" record for www.bianhaoshenqi.com (V.T.)
      • No useful additional info from this domain
    • 2015-01-20 - PTR record for static-ip-220-214-65-202.rev.dyxnet.com (V.T.)

192.126.118.198

  • USA IP (LA, California)
  • Sun Dec 14 23:49:41 2014 - An "A" record for gasoft.us (Robtex)
  • 2014-02-14 - An "A" record for [ppp41.net] (V.T.)
    • No useful additional info from this domain

So now we have 3 associations to WinNTI

  • Shared Infrastructure - IP shared with previous attack domain gasoft.us
  • Common Information in WHOIS - Malicious domain registered with email SexnDomain@gmail.com and using bogus Google address
  • Kaspersky's automated identification

Based on this I am fairly confident in saying we can probably attribute the PlugX league of legends attack to WinNTI and possibly Dell's TG-3279. It's far from a guarantee but given we have the same TTPs, overlapping infrastructure, common domain registration info, and industry attack targets here it seems like the obvious answer. Unfortunately I can't easily speculate as to why WinNTI would want to target video game players, perhaps they were hoping to catch some particular employees or individuals. Or, perhaps like the securelist article suggested, their motivation could be profiting from "The unfair accumulation of in-game currency/"gold" in online games and the conversion of virtual funds into real money." Either of these or both could be possible, unfortunately, with groups like this, unless we see it happen in the future we will likely never know.