“During the past few months we have seen some spearphishing campaigns against Tibetan targets using mainly Microsoft Office Exploits (CVE-2012-0158),” explains AlienVault’s Jaime Blasco. Symantec had already explained the process. The spearphish email tempts the recipient to load an infected Word document which drops three files: a genuine Nvidia exe that automatically loads a fake DLL which in turn loads boot.ldr containing the malware.

“In most of the boot.ldr files we have found the RAT called PlugX,” says Blasco. It is the subsequent detailed analysis of PlugX that has led to its operator. What Blasco found was debug paths that included “C:\Users\whg\Desktop\...” and others that led to cnasm.org. On cnasm.org he found an email address: whg0001 at 163.com. He then found that the email address was used as the administrative contact for chinansl.com back in 2000.

Chinansl, incidentally, is described on report.cnmarketdata.com as being at the Chengdu National Information Security Production Industrialization Base.

The point, however, is that AlienVault now had enough evidence to link someone called whg0001 to both the PlugX RAT and a security background. AlienVault started to look for other references to whg0001. On http://bbs.krshadow.com/thread-58032-1-1.html it found a reference (in Chinese) to whg0001 that Google translates as: “Virus expert. Proficient in assembly. Wrote a lot of software, for example lan under tools and sniff sniff QQ tools, etc...” On my.csdn.net they even found a photo of whg0001.

Finally, AlienVault found another PlugX debug path pointing to a Baidu.com page “that seems to be used as a test or to check connectivity”; but displaying the same photo of whg0001 that they had found on my.csdn.net. “With the information we have, we can say that this guy is behind the active development of the PlugX RAT,” concludes AlienVault. We now have his email address and his photograph – his real name will surely follow.