Spyware found on Vietnam Airlines disguised as McAfee Antivirus

The spyware that recently infected Vietnam Airlines is revealed to be a variant of the Korplug RAT which disguises itself as a McAfee antivirus program according to analysis of the malware by Malwarebytes.

Malwarebytes’ examination of the Korplug payload found a legitimate McAfee software with a signed certificate but with a compromised  Dynamic Link Library that was used to hijack the execution of the legitimate software. The spyware obfuscates it’s malicious coding and hides it under layers of loaders and files.

Korplug is also known as  PlugX and is linked to the Chinese APT groups. More information on the malware is on Malwarebyte’s blog.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s