Rewterz Threat Alert – PKPLUG Attacking Asia

Severity

High

Analysis Summary

A set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.

While tracking these attackers, Unit 42 discovered additional, mostly custom malware families being used by PKPLUG beyond that of just PlugX. The additional payloads include HenBox, an Android app, and Farseer, a Windows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset of attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax.

Impact

Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• 000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986
• 0011fb4f42ee9d68c0f2dc62562f53e0
• 00c89e5e5c1e6c129bf7f0b489af2439902014427e3342e7ef2fab0f4fe64361
• 011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d
• 0306585900f1b1bddc76149352f90962c365959e44a486ba3547c80d12d56e41
• 0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1
• 04750f949332191f1004992b195e67fa975f2450406b965d8a5bb83a4341b9ac
• 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7
• 05bec24bbf9381a30d57bf0efae3d6853d009dbd97337eb4196c9b60fb72e707
• 077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa
• 07994c9f2eeeede199dd6b4e760fce371f03f3cc4307e6551c18d2fbd024a24f
• 082f23772081b276adf57d29e0c4c008cc2373a55b7e4a077f05c1a8471cda22
• 085f92b8769d1d01ac5be730a9eccd2ed236d6f0dabe6b9c6aceef32499cdfe4
• 08dee1f5ced372716ad5c6e3f2041bcdeb25e905efc19d3749fe637d0a589ccc
• 0940602e7d47941f36c975afa9d2c6b1b0d2bd15bbea6ad4baf0f828420d72bf
• 097fdb6135b7460d0b8f96cf385497364ffc8206ed246053f7d0a9c7fb7cba7a
• 0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7
• 0a66c510ee0599f6481dcd2f816442a25eddf200ded7235e90c019e441678057
• 0a85fe28230b4bab575ec02619b2992fe1b1235b582b42d15a773032f6bb7ef0
• 0af768b4ba8fe7aac7a7da7fd5f21e7496d5617dccdf2321f526fd1091d64a6d
• 0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7
• 0c7e35ca1312204063319a3455ec14bc4b701de205503e63de584f28d99f0291
• 0d54a5dbda9f6f080d6211e0c73cef9dc4d996b3ca7d8352b06b07dc1a0080ef
• 0d5cb7b22c72250e8748ecefa668ae8e12369d9c98c556fa4bf138883611fe32
• 0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865
• 0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a
• 0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130
• 10a37ed1d8aff44625f9782bae81aa75cc8293ae28098c954e5695bec24600c6
• 10bd4507eb12bebc17e216e16950bf77e56c2aad01be7033bf0d5c235f2ad6e5
• 11b1134e9e690ca0bff578167b451a25b07263dc16a172e923fe3152e50094e9
• 12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8
• 13315a9303a8c46b7b81b5d2a87b24dbb5b72fcd38beac2ef87275df9cc9e378
• 14b9b09f4f193e378cf9616e211ab7031b4e1e6f626971902577f4f2d5df226a
• 14bc9f588c2094c96ca92a44fdbabdec00cff2652a5a72c7c8b6f01c6724e76f
• 14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446
• 153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34
• 16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d
• 171b1553b692008361391c306dc58dafbad62edfd74e3e74ff2394061b068737
• 1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684
• 1798e3fa950a2d13556ecb4e5c8da24207d61a562194e2c4a4dec886b9705a13
• 17c0050d1e417d3e5118ddbb11f0c09f91b60f2714f950a6493cc120ba9fd188
• 180174e86b2173fa743175eca8d075a05a68010a1c6cf18d924741d9f6818ab4
• 181aa49f5dd6565f004043e83ff02a016fa9aebd0173889081b7aa0004227064
• 184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6
• 193ae4da14874aa29902052d08064395afa5e4763f949e7369157d893fa08653
• 1943c674db8757dbcc0aee72814b7ef19a709ef7d4afff5dc9e7390359768ad8
• 1956bed482d44a3accb289aad1a2714112029b5a1220c48b3e748f0c15fc6ff5
• 198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8
• 19e9e0682d080d5f18d6c90096e531c1c85bd56436986361d29c21ed78f92738
• 1a1c154c7921ddeb488fa2e2d456fffe7c5091aa622dabac8814382e3bf56fe1
• 1aaa01b528d2976fffd688729ee7012ad0828360a54f5ca70ec2f829f53bac2b
• 1ade5ab177524fd739c872fe3067559457b0929548ab9fce326464407d2fbd28
• 1b89a65a0ae4cdf3c49b96fa7c12bde75dbc61b7ea48843ae95d9e5fe64152c5
• 1bbbe1dd88dd9159d7fb3fce70ce7625e160dcbd04222eaec5aad077c252568e
• 1c1b229b5764897cbb4adb25c551a7b1d8afea4e9142b452f77bad7d0ad16f23
• 1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7
• 1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c
• 1e46c88420c657c685786bee88f606d494f3d50bcbc616b0f64d2886edd572f2
• 1e62b7dcb503f47a6330c4dcfc49ea9d921b7d2f8c508769d27df04e61b9471d
• 1ea1d2915484b4a8008a0f2fd4669cc7b97fc50d982db5c54006c4069865a0ea
• 1ed6ee09296c7ba6c161ca44fe0af491f7b3cc7a6e042319f8e780417d852547
• 201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf
• 2085fca368af15a1bd54f7809dfee7cdd4d73df7af88fa53fe5341f0523ca7ea
• 20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea
• 21e916651f836d6d782239d245b15317ffb888e6a36ec92f21c25ab3d2df1584
• 228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2
• 22f4a9680887f7bb3662c19372cbd2bae481e221e7da33ea85e12fe18b707434
• 2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922
• 23b49eacd0218fecf057b306921c8fd55daa4bd4f2cd6a22532e19d44430daef
• 23ea5a7cf7aa211fe84d9fd87627c5714c8478f4089d5adf9054f12f2f68c8c5
• 24b52403ff652416c84afed7e12ece11dc59b07f7dba5f007e117a4cfc67c1ab
• 2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499
• 2642e3ade0536a9454ae363740ca80fdd81695c9b0996bad1f00bbac9ed89f84
• 269c03e205c403ab8fa1033caa1c8e3a86a1495cc33a7f3a3a3c9b8a9ea77490
• 271e29fe8e23901184377ab5d0d12b40d485f8c404aef0bdcc4a4148ccbb1a1a
• 2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728
• 280a13f81f18f32d60efe7b887016c667eb19afb283efe62c907edddbfd89d7b
• 286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1
• 28832cd0d62fa39d634d2a62644e5c564a5b632498bdcc53c8fdf096fce7461f
• 29f92c93e5e54940bf33fd819f54df39870eb154d25c5c1ec37234026beb0a87
• 2a0fe07f25726078ea8731f21834f762383d8c93170d9d9dee03ab743e50d5c4
• 2a4e54d291f625621ea79ba493193ccb540e780eb3549e875ff9592ae56b2e6e
• 2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf
• 2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d
• 2a86583caf1e0821964a917e01370a214e845d91a299101ae265e943ca3e8a36
• 2b55c97acccf63c35af4e9fecdb45bf4b036962407bbafdf97850d12ac1829b9
• 2bbf54c841d544756afd8e82b766479a2a416769222ba151c757c7291357e858
• 2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec
• 2c02840073dd1c94028166d76b0cacc7d5e3f628df7f23da344ddee278002e16
• 2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee
• 2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411
• 2e30ded72e25e5e9cc5a3bed475c510a60f62415ba028c1256972c0054ecfc25
• 2e441f53eae0b3084b1911af40cc03f83cc3d0141baffebf00a82f677bd63682
• 2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463
• 2e84de3408283423ed58764139eed4dd7e343115b943b58a46e2dc25ca2ef3c8
• 2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710
• 2f44a3fe5ad32b261a4df56c281b42ad7fbf9303713af9b26bbaeb894d246136
• 2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4
• 300de8919f8cb6bf0e428389a8a67d8021457a7e8e3afe618e6f859e57df9d54
• 30342a16d372ac11489c8b005a194213538942a86a38db0a5058505c4e769275

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.