PKPLUG

Researchers linked multiple Cyber-espionage campaigns across Asia to the threat actor group PKPLUG. The group uses its PlugX malware and the number of additional payloads in the campaign.

The group primarily targets Southeast Asia regions such as particularly Myanmar, Taiwan, Vietnam, and Indonesia and other parts of Asia such as Tibet, Xinjiang, and Mongolia.

Based on Unit 42 research the main objectives of attack are to implant backdoors on victims’ systems and mobiles, tracks and gathering information.

“The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.”

Following are the malware used

PKPLUG Attack Timeline

The group found active for more than six years, their first attack dated November 2013, against Mongolia, in the attack the malicious payloads launched via digitally signed legitimated applications.

The second attack in April 2016, that attack uses Poison Ivy malware against targets in Myanmar and other countries in Asia.

PKPLUG
Attack Timeline Credits: Unit 42

The third attack found in July 2016, Spear-phishing campaign contains shorten links hosted on Google Drive. The attack against Myanmar and other Asian countries using 9002 Trojan as a payload.

The fourth attack in March 2017, spear-phishing campaign using GeoCities Japan website to deliver malware, Poison Ivy used as a payload.

The fifth attack named HenBox, poses a legitimate app targets, Turkic ethnic group, the malware distributed through third-party app stores and their goal is to harvest outgoing calls.

The sixth attack in February 2019, targeting the Uyghur population, attackers used Farseer Windows malware. it was distributed through signed binaries.

Maltego image posted by Unit 42, shows that “known malware samples related to PKPLUG, and the chart continues to grow as we discover more about this adversary, ” reads the report.

PKPLUG
Maltego Image Relating the Attacks Credits: Unit 42

The C2 infrastructure used in attacks, domains, and malware used are concerning each other, you can find the PKPLUG Adversary Playbook here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates