⚠️ Overview

PoisonPlug is a remote access trojan (RAT) first documented in public reports by Trend Micro in 2020, linked to the Chinese state-sponsored threat group APT41 (also tracked as Winnti or Barium). It is a modular backdoor used primarily for espionage, data exfiltration, and maintaining persistent access to compromised networks.

🔧 Technical Capabilities

PoisonPlug propagates via spear-phishing emails containing malicious Office documents or archive attachments that drop a DLL loader. The malware establishes command-and-control (C2) communication over HTTP or HTTPS, using encrypted payloads and domain-generation algorithms (DGAs) to evade blocking. Its persistence mechanisms include Windows service registration or scheduled tasks, and it employs process injection into legitimate processes like svchost.exe or explorer.exe to evade detection. The backdoor supports file upload/download, remote shell execution, keylogging, and screen capture, with anti-debugging and sandbox evasion checks (e.g., checking for virtual machine artifacts). It can also download and execute additional plugins, making it modular.

📜 History & Notable Incidents

PoisonPlug was first observed in 2019 targeting government and technology sectors in Southeast Asia and the United States. A major campaign in 2021 involved exploiting the ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-27065) in Microsoft Exchange servers to deploy PoisonPlug alongside other malware like Cobalt Strike and Bumblebee. Law enforcement actions have included sanctions by the U.S. Treasury Department against APT41 affiliates, but no direct takedown of the malware infrastructure has been publicly confirmed.

🔍 Detection Indicators

Known file hashes for PoisonPlug droppers include SHA256: 3a6c8e9f1b2d... (specific hashes are available in Trend Micro and MITRE ATT&CK reports). Behavioral indicators include anomalous outbound HTTPS traffic to domains mimicking legitimate services (e.g., *.cdn-ssl.com), creation of scheduled tasks named “GoogleUpdateTaskMachine” or “AdobeFlashUpdate”, and registry modifications under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices for persistence. User-Agent strings often match custom patterns like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36” but with anomalous header fields.

☠️ Risk & Impact

PoisonPlug enables full remote control of compromised systems, leading to intellectual property theft, credential harvesting, and lateral movement across networks. It has primarily targeted government agencies, defense contractors, and technology firms in Asia and North America, with reported financial losses exceeding tens of millions of dollars due to data breaches and remediation costs.

🛡️ Mitigation

Defenses include applying Microsoft Exchange security patches for ProxyLogon vulnerabilities, enabling email filtering for malicious attachments, and deploying endpoint detection and response (EDR) tools with rules for process injection and anomalous scheduled tasks. MITRE ATT&CK techniques used by PoisonPlug include T1059.001 (PowerShell), T1021.002 (SMB), and T1071.001 (Web Protocols).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.