The spyware that recently infected Vietnam Airlines is revealed to be a variant of the Korplug RAT which disguises itself as a McAfee antivirus program according to analysis of the malware by Malwarebytes.
Malwarebytes’ examination of the Korplug payload found a legitimate McAfee software with a signed certificate but with a compromised Dynamic Link Library that was used to hijack the execution of the legitimate software. The spyware obfuscates it’s malicious coding and hides it under layers of loaders and files.
Korplug is also known as PlugX and is linked to the Chinese APT groups. More information on the malware is on Malwarebyte’s blog.