Threat Intelligence, Malware

Spyware that infected Vietnam Airlines posed as McAfee antivirus

A Malwarebytes analysis of the cyberespionage toolkit that recently infected Vietnam Airlines revealed a modular variant of the Korplug remote access trojan (RAT) that in this case disguises itself as a McAfee antivirus program.

Korplug, aka PlugX, is associated with Chinese APT groups, and has previously been used in campaigns to gather intelligence from Russian and Eastern European targets.

When Malwarebytes examined the Korplug payload sample's executable, it actually found legitimate McAfee software with a signed product certificate. However, the software distributors were able to compromise an unsigned DLL (Dynamic Link Library) that was bundled with the McAfee software, "and this is the point that attackers used in order to hijack the execution," Malwarebytes explained in its blog post.

To avoid detection, the spyware obfuscates its malicious coding and hides it underneath multiple layers of loaders and files. Moreover, the developers "tangled" elements within the software's various modules so that it would be very difficult to identity malicious behavior by analyzing any one individual component.

The McAfee app used dates back to 2008, Malwarebytes noted; current versions are not susceptible to the type of DLL hijacking attack seen here.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.