14 DAY TRIAL // A few days ago, Trend Micro experts presented the details of a RAT known as PlugX which has been utilized in the past period to attack organizations from Taiwan, Korea, Tibet and Japan. Now, AlienVault researchers believe they have uncovered the identity of the RAT’s developer.
After analyzing some of the debug paths used in the PlugX Trojan, researchers noticed that some of them contained a username: whg. Similar debug paths have been identified in the binaries of an application called SockMon.
A search on cnasm.com has led investigators to the [email protected] email address, which back in 2000 was utilized to register a domain. The physical address associated with the domain is the one of a security company from China.
Finally, a different search for whg0001 pointed experts to the CSDN profile of an individual who describes himself as a “virus expert, proficient in assembly.”
Other clues also led to the same individual and AlienVault concludes that he is not only PlugX’s developer, but he is also involved in some of the campaigns that relied on the RAT.