Researchers linked multiple Cyber-espionage campaigns across Asia to the threat actor group PKPLUG. The group uses its PlugX malware and the number of additional payloads in the campaign.
The group primarily targets Southeast Asia regions such as particularly Myanmar, Taiwan, Vietnam, and Indonesia and other parts of Asia such as Tibet, Xinjiang, and Mongolia.
Based on Unit 42 research the main objectives of attack are to implant backdoors on victims’ systems and mobiles, tracks and gathering information.
“The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.”
Following are the malware used
- PlugX – Windows malware
- HenBox – Android App
- Farseer – Windows Backdoor
- Poison Ivy – Remote Administration Tool
- Zupdax – Windows malware
PKPLUG Attack Timeline
The group found active for more than six years, their first attack dated November 2013, against Mongolia, in the attack the malicious payloads launched via digitally signed legitimated applications.
The second attack in April 2016, that attack uses Poison Ivy malware against targets in Myanmar and other countries in Asia.
The third attack found in July 2016, Spear-phishing campaign contains shorten links hosted on Google Drive. The attack against Myanmar and other Asian countries using 9002 Trojan as a payload.
The fourth attack in March 2017, spear-phishing campaign using GeoCities Japan website to deliver malware, Poison Ivy used as a payload.
The fifth attack named HenBox, poses a legitimate app targets, Turkic ethnic group, the malware distributed through third-party app stores and their goal is to harvest outgoing calls.
The sixth attack in February 2019, targeting the Uyghur population, attackers used Farseer Windows malware. it was distributed through signed binaries.
Maltego image posted by Unit 42, shows that “known malware samples related to PKPLUG, and the chart continues to grow as we discover more about this adversary, ” reads the report.
The C2 infrastructure used in attacks, domains, and malware used are concerning each other, you can find the PKPLUG Adversary Playbook here.