14 DAY TRIAL // A few days ago, AlienVault experts started investigating the PlugX Remote Access Trojan (RAT) and its developer. Now, they have uncovered new details regarding his identity and have even found a connection between him and the Chinese hacker group known as Network Crack Program Hacker (NCPH).
The initial investigation led experts to an individual nicknamed WHG who described himself as a virus expert. However, the connection they found between the PlugX RAT and the latest Internet Explorer zero-day exploit allowed them to uncover additional details.
First of all, they have learned that WHG was at some point a student of the Sichuan University of China. With this piece of information at hand, they were able to connect him to the NCPH collective.
That’s because the crew’s leader, Wicked Rose or Tan Dailin (his real name), formed NCPH by recruiting students from the university.
“All through 2006, NCPH built sophisticated rootkits and launched a barrage of attacks against multiple US government agencies. By the end of July, 2006, NCPH had created some 35 different attack variants for one MS Office vulnerability. During the testing phase, NCPH used Word document vulnerabilities,” reads the Wikipedia article on Dailin.
The article on the hacker collective makes an interesting connection between Wicked Rose and WHG.
“Wicked Rose credits the Chinese hacker WHG, also known as ‘fig’ as one of the developers of the GinWui rootkit. WHG is an expert in malicious code,” it reads.
The GinWui rootkit was discovered by security researchers in 2006 after being used in attacks against Japan and the United States.
AlienVault experts believe that WHG – whose real name might be Zhao Jibing - is not a core member of NCPH, but a close affiliate of the ring’s leader.