PlugX: Bad guy disguises as an msi file

I. Overview II. Analysis 1. Locate suspicious files Use msitool to extract msidump -s -t mal.msi. In File.idt, we can see that there are 3 embed file. These files are extracted to %LOCALAPPDATA\kjnBsLsJo\ 2024Contact.exe security.dll contactDB.dat ...