Bendik Hagen

Pulling the (KEY)PLUG: A dive into the ecosystem of yet another shared malware family

KEYPLUG has been publicly referenced on several occasions but never in great detail. Past analysis has associated this malware family with APT41 / Brass Typhoon and public reporting described activity in 2021 targeting US state governments. But is there more to it?

During the past year, we dug into KEYPLUG internals and related samples where we uncovered new loaders and plugins. We tracked its associated infrastructure and the protocols adversaries use in order to avoid detection and stay one step ahead. Throughout our analysis, we discovered several different users of KEYPLUG, which we will present here, each with distinct characteristics and victims.

In addition we will detail opportunities and challenges of detecting KEYPLUG from a network perspective and on the endpoint based on recent observations and discoveries of these new groups. We will show ways to attribute these activities differently solely based on how KEYPLUG is being used and how little details can make a difference. We hope to show the audience that although it can be difficult, attribution based on shared tooling or malware is still possible and brings important pieces to the bigger puzzle.

Bendik is a researcher/intelligence analyst on the PwC Global Threat Intelligence team with a focus on threat actors based in the Asia Pacific region. His area of expertise is malware reverse engineering and network infrastructure tracking of China-based threat actors, allowing him a relatively unique insight into the behaviour of these entities and their operations. Prior to joining PwC, Bendik worked for the Norwegian government performing reverse engineering and network analysis.