A Malwarebytes analysis of the cyberespionage toolkit that recently infected Vietnam Airlines revealed a modular variant of the Korplug remote access trojan (RAT) that in this case disguises itself as a McAfee antivirus program.
Korplug, aka PlugX, is associated with Chinese APT groups, and has previously been used in campaigns to gather intelligence from Russian and Eastern European targets.
When Malwarebytes examined the Korplug payload sample's executable, it actually found legitimate McAfee software with a signed product certificate. However, the software distributors were able to compromise an unsigned DLL (Dynamic Link Library) that was bundled with the McAfee software, "and this is the point that attackers used in order to hijack the execution," Malwarebytes explained in its blog post.
To avoid detection, the spyware obfuscates its malicious coding and hides it underneath multiple layers of loaders and files. Moreover, the developers "tangled" elements within the software's various modules so that it would be very difficult to identity malicious behavior by analyzing any one individual component.
The McAfee app used dates back to 2008, Malwarebytes noted; current versions are not susceptible to the type of DLL hijacking attack seen here.