Adrien Bataille

Pulling the (KEY)PLUG: A dive into the ecosystem of yet another shared malware family

KEYPLUG has been publicly referenced on several occasions but never in great detail. Past analysis has associated this malware family with APT41 / Brass Typhoon and public reporting described activity in 2021 targeting US state governments. But is there more to it?

During the past year, we dug into KEYPLUG internals and related samples where we uncovered new loaders and plugins. We tracked its associated infrastructure and the protocols adversaries use in order to avoid detection and stay one step ahead. Throughout our analysis, we discovered several different users of KEYPLUG, which we will present here, each with distinct characteristics and victims.

In addition we will detail opportunities and challenges of detecting KEYPLUG from a network perspective and on the endpoint based on recent observations and discoveries of these new groups. We will show ways to attribute these activities differently solely based on how KEYPLUG is being used and how little details can make a difference. We hope to show the audience that although it can be difficult, attribution based on shared tooling or malware is still possible and brings important pieces to the bigger puzzle.

Adrien is a senior analyst at Microsoft Threat Intelligence, focused on threats originating from Southeast Asia. Adrien is a malware and YARA enthusiast and enjoys hunting in various data sources, with a focus on surfacing yet untracked threats. Adrien’s prior experience includes incident response, malware analysis and threat intelligence both in the public and private sectors. Some of his work was presented at various conferences such as FireEye CyberDefense Summit and the Digital Crimes Consortium.