Cybersecurity researchers have linked various attack campaigns against organizations and ethnic groups in Asia that were documented as far back as six years ago to a single threat actor dubbed PKPLUG, which they believe to be backed by China. The experts from Palo Alto Networks threat research group Unit 42 have been tracking campaigns launched by this group for the past three years. The name “PKPLUG” comes from threat actor using PlugX malware inside ZIP archive files containing the ASCII magic bytes “PK” in the header. Unit 42 is not entirely confident that PKPLUG is a single threat actor or several groups using the same tactics, techniques, and procedures (TTP).
What makes this group stand out is the use of both custom malware and publicly available tools. As per report, in addition to PlugX RAT (remote access trojan) the group has been seen leveraging Poison Ivy and Zupdax tools, HenBox (a malicious Android trojan), Farseer (a Windows backdoor), and also the 9002 Trojan, which is believed to be shared among a small subset of attack groups. The group also favors DLL side-loading to execute its malicious payloads. The payloads usually delivered through spear-phishing emails with malicious attachments or in limited cases via Microsoft Office exploits and malicious PowerShell scripts.
“It’s not entirely clear as to the ultimate objectives of PKPLUG, but installing backdoor Trojan implants on victim systems, including mobile devices, infers tracking victims and gathering information is a key goal,” the researchers said.
PKPLUG’s main targets are the Southeast Asian countries and regions, specifically Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet and Xinjiang – many of them have complex relationship with China, which may explain the group’s particular interest.
According to Unit 42, the earliest confirmed PKPLUG activity was reported by Blue Coat Labs in November 2013 and involved a PlugX campaign launched against Mongolian targets. In this attack, the actors used weaponized Word documents saved as a Single File Web Page (MHT file) to exploit a vulnerability (CVE-2012-0158) in Microsoft Office in order to drop and execute WinRAR SFX archive containing both PlugX and a DLL side-loading package.
Since November 2013 through February 2019, researchers documented six cyberespionage campaigns that have been linked by Unit 42 team to the PKPLUG. The most recent campaign involved a previously-unknown Windows backdoor called Farseer delivered via DLL side-loading technique. This backdoor is designed to compromise Windows users and was used by the threat actors in attacks against targets in Mongolia and Myanmar.
The researchers noticed overlaps between the infrastructure and the malware used in different campaigns.
“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened),” the research team said.
In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C&C) infrastructure. Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.
“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer. Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries,” the researchers said.
“The use of Android malware shows intent to get at targets where perhaps traditional computers, operating systems and ways of communicating are different from previous targets”.
A full report, including Indicators of Compromise (IoCs) relating to PKPLUG can be found here.