Pierluigi Paganini October 03, 2019

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:

The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

[adrotate banner=”5″]

[adrotate banner=”13″]