Security firm AlienVault thinks it has identified a key Chinese programmer with connections to the Chinese Government who could be behind a long-running malware assault on pro-Tibet campaigners, including with the recent PlugX RAT Trojan.
It’s extremely rare that security companies are able to put a name and a face to specific pieces of malware so the connection it stumbled upon when researching PlugX could attract some attention.
While researching PlugX’s binaries, the company started noticing similarities in some of the software’s debug paths.
Searching for similar debug paths in the User folder, the firm noticed the same ‘whg’ subfolder in a program called SockMon distributed from a named domain connected to a company, [name deleted].com Technology Ltd that had published security vulnerabilities in the past.
The domain contact info turned out to be for a Chengdu-located security company. ‘Whg’ turned out to work for the company with references to which described him as “Virus expert. Profcient in assembly.”
“At this point you can be thinking we cannot accuse whg of being related to the Xplug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?,” AlienVault said.
“With the information we have, we can say that this guy is behind the active development of the Xplug RAT and he probably has some inside on the operations since this path.”
AlienVault also found web references, including referenced Wikipedia entries mentioning a ‘WHG’, as being connected to a string of important Chinese hacker attacks stretching back some years, including the infamous Titan Rain from 2007. A source named the sponsor of the WHG’s company as being the PLA.
The connection of WHG’s company to the PLA is built on circumstantial evidence but the coincidences are still unsettling. We should make clear that the connection is unproven and remains an allegation.
The PlugX RAT, meanwhile, has been used in attacks in Asia but also against pro-Tibet campaigners, exploiting Java vulnerabilities and digital certificates that let it masquerade as legitimate driver files.
Trend Micro reckons that PlugX is part of a longer-running campaign that has been around since early 2008 and probably takes in remote access Trojans including this year’s Poison Ivy.
The modus operandi is also very similar to the Gh0st RAT attacks. All of these campaigns have a theme of attacking pro-Tibet campaigners and are widely assumed to be connected to the Chinese Government in some way.