Home Malware Chinese cyberespionage group PKPLUG uses custom and off-the-shelf tools

Chinese cyberespionage group PKPLUG uses custom and off-the-shelf tools


Security researchers have linked various attack campaigns against organizations and ethnic groups in Asia to a single threat actor they believe is likely serving China’s geopolitical interests in the region and is connected to the country’s state-sponsored cyberespionage apparatus. Researchers from security firm Palo Alto Networks have been tracking attack campaigns launched by a group, or several closely connected groups, they’ve dubbed PKPLUG for the past three years. They’ve found links to older attack campaigns reported independently by other companies over the past six years. According to them, this is the first time all these attacks have been tied together under a single threat actor.

“We believe victims lay mainly in and around the Southeast Asia region, particularly Myanmar, Taiwan Vietnam, and Indonesia, and likely also in various other areas in Asia, such as Tibet, Xinjiang, and Mongolia,” the researchers said in a new report released today. “Based on targeting, content in some of the malware and ties to infrastructure previously documented publicly as being linked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar origins.”

PKPLUG uses a mixed bag of tools and techniques

What makes this group stand apart is its use of both off-the-shelf and custom-made malware tools. This includes publicly available Trojan programs like PlugX — from where the group’s name is derived — and Poison Ivy. One of PKPLUG’s common tactics is to deliver the PlugX malware inside a ZIP archive that has the “PK” ASCII in its header.

The group also makes heavy use of DLL side-loading to execute its malicious payloads. This type of attack occurs when a legitimate program searches for a DLL library by name in various locations, including the current folder, and automatically loads it in memory. If attackers replace the library with a malicious one, the malware will be loaded and executed instead. This decreases the payload’s chance of being detected, since the process that performs the loading is not malicious itself.

The group favors spear-phishing emails to deliver their payloads and use social engineering to trick users into opening attachments. However, some limited use of Microsoft Office exploits has also been observed and so has the use of malicious PowerShell scripts.

In addition to PlugX and Poison Ivy, PKPLUG has also used a Trojan called 9002 that is only shared by a small subset of attack groups, as well as a custom Windows backdoor that researchers have dubbed Farseer in the past and a malicious Android Trojan called HenBox that masquerades as legitimate applications. HenBox has not been distributed through Google Play, probably because Google Play is blocked in China, so many users there use third-party stores to install apps.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More