Wednesday, November 6, 2024
HomeComputer SecurityPKPLUG -New Research Found Same Chinese Hacking Group Involved with Multiple Cyber...

PKPLUG -New Research Found Same Chinese Hacking Group Involved with Multiple Cyber Attacks Across Asia

Published on

Malware protection

Researchers linked multiple Cyber-espionage campaigns across Asia to the threat actor group PKPLUG. The group uses its PlugX malware and the number of additional payloads in the campaign.

The group primarily targets Southeast Asia regions such as particularly Myanmar, Taiwan, Vietnam, and Indonesia and other parts of Asia such as Tibet, Xinjiang, and Mongolia.

Based on Unit 42 research the main objectives of attack are to implant backdoors on victims’ systems and mobiles, tracks and gathering information.

- Advertisement - SIEM as a Service

“The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.”

Following are the malware used

PKPLUG Attack Timeline

The group found active for more than six years, their first attack dated November 2013, against Mongolia, in the attack the malicious payloads launched via digitally signed legitimated applications.

The second attack in April 2016, that attack uses Poison Ivy malware against targets in Myanmar and other countries in Asia.

PKPLUG
Attack Timeline Credits: Unit 42

The third attack found in July 2016, Spear-phishing campaign contains shorten links hosted on Google Drive. The attack against Myanmar and other Asian countries using 9002 Trojan as a payload.

The fourth attack in March 2017, spear-phishing campaign using GeoCities Japan website to deliver malware, Poison Ivy used as a payload.

The fifth attack named HenBox, poses a legitimate app targets, Turkic ethnic group, the malware distributed through third-party app stores and their goal is to harvest outgoing calls.

The sixth attack in February 2019, targeting the Uyghur population, attackers used Farseer Windows malware. it was distributed through signed binaries.

Maltego image posted by Unit 42, shows that “known malware samples related to PKPLUG, and the chart continues to grow as we discover more about this adversary, ” reads the report.

PKPLUG
Maltego Image Relating the Attacks Credits: Unit 42

The C2 infrastructure used in attacks, domains, and malware used are concerning each other, you can find the PKPLUG Adversary Playbook here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...