Thursday, July 18, 2024

PKPLUG -New Research Found Same Chinese Hacking Group Involved with Multiple Cyber Attacks Across Asia

Researchers linked multiple Cyber-espionage campaigns across Asia to the threat actor group PKPLUG. The group uses its PlugX malware and the number of additional payloads in the campaign.

The group primarily targets Southeast Asia regions such as particularly Myanmar, Taiwan, Vietnam, and Indonesia and other parts of Asia such as Tibet, Xinjiang, and Mongolia.

Based on Unit 42 research the main objectives of attack are to implant backdoors on victims’ systems and mobiles, tracks and gathering information.

“The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.”

Following are the malware used

PKPLUG Attack Timeline

The group found active for more than six years, their first attack dated November 2013, against Mongolia, in the attack the malicious payloads launched via digitally signed legitimated applications.

The second attack in April 2016, that attack uses Poison Ivy malware against targets in Myanmar and other countries in Asia.

Attack Timeline Credits: Unit 42

The third attack found in July 2016, Spear-phishing campaign contains shorten links hosted on Google Drive. The attack against Myanmar and other Asian countries using 9002 Trojan as a payload.

The fourth attack in March 2017, spear-phishing campaign using GeoCities Japan website to deliver malware, Poison Ivy used as a payload.

The fifth attack named HenBox, poses a legitimate app targets, Turkic ethnic group, the malware distributed through third-party app stores and their goal is to harvest outgoing calls.

The sixth attack in February 2019, targeting the Uyghur population, attackers used Farseer Windows malware. it was distributed through signed binaries.

Maltego image posted by Unit 42, shows that “known malware samples related to PKPLUG, and the chart continues to grow as we discover more about this adversary, ” reads the report.

Maltego Image Relating the Attacks Credits: Unit 42

The C2 infrastructure used in attacks, domains, and malware used are concerning each other, you can find the PKPLUG Adversary Playbook here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates


Latest articles

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...

Resonance Security Launches Harmony to Monitor and Detect Threats to Web2 and Web3 Apps

Quick take:Harmony is the fourth cybersecurity application Resonance developed to address the disconnect in...

Beware! of New Phishing Tactics Mimic as HR Attacking Employees

Phishing attacks are becoming increasingly sophisticated, and the latest strategy targeting employees highlights this...

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles