• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Crosswalk Malware – IOC’s
October 7, 2019
Outdated OS gets ATMs Hacked within minutes
October 7, 2019

Rewterz Threat Alert – PKPLUG Attacking Asia

October 7, 2019

Severity

High

Analysis Summary

A set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.

While tracking these attackers, Unit 42 discovered additional, mostly custom malware families being used by PKPLUG beyond that of just PlugX. The additional payloads include HenBox, an Android app, and Farseer, a Windows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset of attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax.

Impact

Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986
  • 0011fb4f42ee9d68c0f2dc62562f53e0
  • 00c89e5e5c1e6c129bf7f0b489af2439902014427e3342e7ef2fab0f4fe64361
  • 011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d
  • 0306585900f1b1bddc76149352f90962c365959e44a486ba3547c80d12d56e41
  • 0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1
  • 04750f949332191f1004992b195e67fa975f2450406b965d8a5bb83a4341b9ac
  • 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7
  • 05bec24bbf9381a30d57bf0efae3d6853d009dbd97337eb4196c9b60fb72e707
  • 077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa
  • 07994c9f2eeeede199dd6b4e760fce371f03f3cc4307e6551c18d2fbd024a24f
  • 082f23772081b276adf57d29e0c4c008cc2373a55b7e4a077f05c1a8471cda22
  • 085f92b8769d1d01ac5be730a9eccd2ed236d6f0dabe6b9c6aceef32499cdfe4
  • 08dee1f5ced372716ad5c6e3f2041bcdeb25e905efc19d3749fe637d0a589ccc
  • 0940602e7d47941f36c975afa9d2c6b1b0d2bd15bbea6ad4baf0f828420d72bf
  • 097fdb6135b7460d0b8f96cf385497364ffc8206ed246053f7d0a9c7fb7cba7a
  • 0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7
  • 0a66c510ee0599f6481dcd2f816442a25eddf200ded7235e90c019e441678057
  • 0a85fe28230b4bab575ec02619b2992fe1b1235b582b42d15a773032f6bb7ef0
  • 0af768b4ba8fe7aac7a7da7fd5f21e7496d5617dccdf2321f526fd1091d64a6d
  • 0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7
  • 0c7e35ca1312204063319a3455ec14bc4b701de205503e63de584f28d99f0291
  • 0d54a5dbda9f6f080d6211e0c73cef9dc4d996b3ca7d8352b06b07dc1a0080ef
  • 0d5cb7b22c72250e8748ecefa668ae8e12369d9c98c556fa4bf138883611fe32
  • 0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865
  • 0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a
  • 0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130
  • 10a37ed1d8aff44625f9782bae81aa75cc8293ae28098c954e5695bec24600c6
  • 10bd4507eb12bebc17e216e16950bf77e56c2aad01be7033bf0d5c235f2ad6e5
  • 11b1134e9e690ca0bff578167b451a25b07263dc16a172e923fe3152e50094e9
  • 12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8
  • 13315a9303a8c46b7b81b5d2a87b24dbb5b72fcd38beac2ef87275df9cc9e378
  • 14b9b09f4f193e378cf9616e211ab7031b4e1e6f626971902577f4f2d5df226a
  • 14bc9f588c2094c96ca92a44fdbabdec00cff2652a5a72c7c8b6f01c6724e76f
  • 14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446
  • 153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34
  • 16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d
  • 171b1553b692008361391c306dc58dafbad62edfd74e3e74ff2394061b068737
  • 1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684
  • 1798e3fa950a2d13556ecb4e5c8da24207d61a562194e2c4a4dec886b9705a13
  • 17c0050d1e417d3e5118ddbb11f0c09f91b60f2714f950a6493cc120ba9fd188
  • 180174e86b2173fa743175eca8d075a05a68010a1c6cf18d924741d9f6818ab4
  • 181aa49f5dd6565f004043e83ff02a016fa9aebd0173889081b7aa0004227064
  • 184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6
  • 193ae4da14874aa29902052d08064395afa5e4763f949e7369157d893fa08653
  • 1943c674db8757dbcc0aee72814b7ef19a709ef7d4afff5dc9e7390359768ad8
  • 1956bed482d44a3accb289aad1a2714112029b5a1220c48b3e748f0c15fc6ff5
  • 198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8
  • 19e9e0682d080d5f18d6c90096e531c1c85bd56436986361d29c21ed78f92738
  • 1a1c154c7921ddeb488fa2e2d456fffe7c5091aa622dabac8814382e3bf56fe1
  • 1aaa01b528d2976fffd688729ee7012ad0828360a54f5ca70ec2f829f53bac2b
  • 1ade5ab177524fd739c872fe3067559457b0929548ab9fce326464407d2fbd28
  • 1b89a65a0ae4cdf3c49b96fa7c12bde75dbc61b7ea48843ae95d9e5fe64152c5
  • 1bbbe1dd88dd9159d7fb3fce70ce7625e160dcbd04222eaec5aad077c252568e
  • 1c1b229b5764897cbb4adb25c551a7b1d8afea4e9142b452f77bad7d0ad16f23
  • 1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7
  • 1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c
  • 1e46c88420c657c685786bee88f606d494f3d50bcbc616b0f64d2886edd572f2
  • 1e62b7dcb503f47a6330c4dcfc49ea9d921b7d2f8c508769d27df04e61b9471d
  • 1ea1d2915484b4a8008a0f2fd4669cc7b97fc50d982db5c54006c4069865a0ea
  • 1ed6ee09296c7ba6c161ca44fe0af491f7b3cc7a6e042319f8e780417d852547
  • 201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf
  • 2085fca368af15a1bd54f7809dfee7cdd4d73df7af88fa53fe5341f0523ca7ea
  • 20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea
  • 21e916651f836d6d782239d245b15317ffb888e6a36ec92f21c25ab3d2df1584
  • 228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2
  • 22f4a9680887f7bb3662c19372cbd2bae481e221e7da33ea85e12fe18b707434
  • 2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922
  • 23b49eacd0218fecf057b306921c8fd55daa4bd4f2cd6a22532e19d44430daef
  • 23ea5a7cf7aa211fe84d9fd87627c5714c8478f4089d5adf9054f12f2f68c8c5
  • 24b52403ff652416c84afed7e12ece11dc59b07f7dba5f007e117a4cfc67c1ab
  • 2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499
  • 2642e3ade0536a9454ae363740ca80fdd81695c9b0996bad1f00bbac9ed89f84
  • 269c03e205c403ab8fa1033caa1c8e3a86a1495cc33a7f3a3a3c9b8a9ea77490
  • 271e29fe8e23901184377ab5d0d12b40d485f8c404aef0bdcc4a4148ccbb1a1a
  • 2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728
  • 280a13f81f18f32d60efe7b887016c667eb19afb283efe62c907edddbfd89d7b
  • 286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1
  • 28832cd0d62fa39d634d2a62644e5c564a5b632498bdcc53c8fdf096fce7461f
  • 29f92c93e5e54940bf33fd819f54df39870eb154d25c5c1ec37234026beb0a87
  • 2a0fe07f25726078ea8731f21834f762383d8c93170d9d9dee03ab743e50d5c4
  • 2a4e54d291f625621ea79ba493193ccb540e780eb3549e875ff9592ae56b2e6e
  • 2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf
  • 2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d
  • 2a86583caf1e0821964a917e01370a214e845d91a299101ae265e943ca3e8a36
  • 2b55c97acccf63c35af4e9fecdb45bf4b036962407bbafdf97850d12ac1829b9
  • 2bbf54c841d544756afd8e82b766479a2a416769222ba151c757c7291357e858
  • 2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec
  • 2c02840073dd1c94028166d76b0cacc7d5e3f628df7f23da344ddee278002e16
  • 2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee
  • 2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411
  • 2e30ded72e25e5e9cc5a3bed475c510a60f62415ba028c1256972c0054ecfc25
  • 2e441f53eae0b3084b1911af40cc03f83cc3d0141baffebf00a82f677bd63682
  • 2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463
  • 2e84de3408283423ed58764139eed4dd7e343115b943b58a46e2dc25ca2ef3c8
  • 2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710
  • 2f44a3fe5ad32b261a4df56c281b42ad7fbf9303713af9b26bbaeb894d246136
  • 2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4
  • 300de8919f8cb6bf0e428389a8a67d8021457a7e8e3afe618e6f859e57df9d54
  • 30342a16d372ac11489c8b005a194213538942a86a38db0a5058505c4e769275

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.