March 15, 2018 – Kaspersky Lab’s researchers have discovered evidence of Chinese APT teams using the PlugX malware in attacks against the healthcare sector. The infamous PlugX malware has been detected in pharmaceutical organizations in Vietnam, aimed at stealing precious drug formulas and business information.
What Is PlugX?
The PlugX malware is a well-known remote access tool (RAT). It is usually spread via spear phishing and has previously been detected in targeted attacks against the military, government and political organizations.
The PlugX RAT allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including – but not limited to – copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity.
PlugX, as with other RATs, is used by cyber criminals to discreetly steal and collect sensitive or profitable information for malicious purposes.
PlugX In Attacks On Big Pharma
The PlugX RAT has been used by a number of Chinese-speaking cyber threat actors, including Deep Panda, NetTraveler or Winnti.
In 2013, it was discovered that Winnti – responsible for attacking companies in the online gaming industry – had been using PlugX since May 2012.[adrotate group=”2″]
Interestingly, Winnti has also been present in attacks against pharmaceutical companies, where the aim has been to steal digital certificates from medical equipment and software manufacturers.
RAT usage in attacks against pharmaceutical organizations indicates that sophisticated APT actors are showing an increased interest in capitalizing on the healthcare sector.
Other key findings for 2017 in the research include:
- More than 60% of medical organizations had malware on their servers or computers;
- Philippines, Venezuela and Thailand topped the list of countries with attacked devices in medical organizations.
Stay Protected Against PlugX
In order to stay protected, Kaspersky Lab experts advise businesses to take the following measures:
- Remove all nodes that process medical data from public and secure public web portals;
- Automatically update installed software using patch management systems on all nodes, including servers.
- Perform network segmentation: refrain from connecting expensive equipment to the main LAN of your organization
- Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, such as Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and giving cybersecurity teams full visibility over the network and response automation