Rewterz Threat Alert – Crosswalk Malware – IOC’s
October 7, 2019Outdated OS gets ATMs Hacked within minutes
October 7, 2019Rewterz Threat Alert – Crosswalk Malware – IOC’s
October 7, 2019Outdated OS gets ATMs Hacked within minutes
October 7, 2019Severity
High
Analysis Summary
A set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.
While tracking these attackers, Unit 42 discovered additional, mostly custom malware families being used by PKPLUG beyond that of just PlugX. The additional payloads include HenBox, an Android app, and Farseer, a Windows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset of attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax.
Impact
Exposure of sensitive information
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 000473f7168ebda3de054a126352af81b61dd0be462ae9b3c7ccc0bc5cea7986
- 0011fb4f42ee9d68c0f2dc62562f53e0
- 00c89e5e5c1e6c129bf7f0b489af2439902014427e3342e7ef2fab0f4fe64361
- 011509bb9cde31c0b45c49747ff150abcfa66d283ff986f167bf564bacfded4d
- 0306585900f1b1bddc76149352f90962c365959e44a486ba3547c80d12d56e41
- 0387baebb2b0c678e46e7291325e91118c53a3206d73c1145c082b10cf6a65f1
- 04750f949332191f1004992b195e67fa975f2450406b965d8a5bb83a4341b9ac
- 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7
- 05bec24bbf9381a30d57bf0efae3d6853d009dbd97337eb4196c9b60fb72e707
- 077239b3bedaa850b82204fdd42e5e45fedc3dfc2f6da5aab04d768370e990fa
- 07994c9f2eeeede199dd6b4e760fce371f03f3cc4307e6551c18d2fbd024a24f
- 082f23772081b276adf57d29e0c4c008cc2373a55b7e4a077f05c1a8471cda22
- 085f92b8769d1d01ac5be730a9eccd2ed236d6f0dabe6b9c6aceef32499cdfe4
- 08dee1f5ced372716ad5c6e3f2041bcdeb25e905efc19d3749fe637d0a589ccc
- 0940602e7d47941f36c975afa9d2c6b1b0d2bd15bbea6ad4baf0f828420d72bf
- 097fdb6135b7460d0b8f96cf385497364ffc8206ed246053f7d0a9c7fb7cba7a
- 0a4f38a83abbbab3a039be95862df7848f28513baa1da52a74a9e6a31f63c9b7
- 0a66c510ee0599f6481dcd2f816442a25eddf200ded7235e90c019e441678057
- 0a85fe28230b4bab575ec02619b2992fe1b1235b582b42d15a773032f6bb7ef0
- 0af768b4ba8fe7aac7a7da7fd5f21e7496d5617dccdf2321f526fd1091d64a6d
- 0bfbbca56718b5bae7e21613a9884ea80db53aa1eca9cacf5a793e52f6a724e7
- 0c7e35ca1312204063319a3455ec14bc4b701de205503e63de584f28d99f0291
- 0d54a5dbda9f6f080d6211e0c73cef9dc4d996b3ca7d8352b06b07dc1a0080ef
- 0d5cb7b22c72250e8748ecefa668ae8e12369d9c98c556fa4bf138883611fe32
- 0e31575bf0001d818d87aa134e728f62e7f2d27ff9437897303eb8ae1962a865
- 0efaf91842a7e45562e97bda369efa6e14f98bf9d63782ec9c323fa246da549a
- 0fa384198ae9550e008e97fa38e8a56c4398fc91e12eddba713966bfed107130
- 10a37ed1d8aff44625f9782bae81aa75cc8293ae28098c954e5695bec24600c6
- 10bd4507eb12bebc17e216e16950bf77e56c2aad01be7033bf0d5c235f2ad6e5
- 11b1134e9e690ca0bff578167b451a25b07263dc16a172e923fe3152e50094e9
- 12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8
- 13315a9303a8c46b7b81b5d2a87b24dbb5b72fcd38beac2ef87275df9cc9e378
- 14b9b09f4f193e378cf9616e211ab7031b4e1e6f626971902577f4f2d5df226a
- 14bc9f588c2094c96ca92a44fdbabdec00cff2652a5a72c7c8b6f01c6724e76f
- 14f715228acff7d8bad057e4bf996635d76ab41ae25ca8a3f90196caeb241446
- 153794e424eceaba48e28e7f3333ab0c9c7addeda1c5de7835b191f5f25e4e34
- 16bb6ff97999b838a40b66146ff4c39b9c95906f062c6fe1e3077e6e30171a4d
- 171b1553b692008361391c306dc58dafbad62edfd74e3e74ff2394061b068737
- 1749df47cf37c09a92b6a56b64b136f15ec59c4f55ec835b1e569c88e1c6e684
- 1798e3fa950a2d13556ecb4e5c8da24207d61a562194e2c4a4dec886b9705a13
- 17c0050d1e417d3e5118ddbb11f0c09f91b60f2714f950a6493cc120ba9fd188
- 180174e86b2173fa743175eca8d075a05a68010a1c6cf18d924741d9f6818ab4
- 181aa49f5dd6565f004043e83ff02a016fa9aebd0173889081b7aa0004227064
- 184e5cbebef4ee591351cfaa1130d57419f70eb95c6387cb8ec837bd2beb14d6
- 193ae4da14874aa29902052d08064395afa5e4763f949e7369157d893fa08653
- 1943c674db8757dbcc0aee72814b7ef19a709ef7d4afff5dc9e7390359768ad8
- 1956bed482d44a3accb289aad1a2714112029b5a1220c48b3e748f0c15fc6ff5
- 198ff17259ad377fae62ca49daaed0d9313831d5a12b16a79dd54045eb6909b8
- 19e9e0682d080d5f18d6c90096e531c1c85bd56436986361d29c21ed78f92738
- 1a1c154c7921ddeb488fa2e2d456fffe7c5091aa622dabac8814382e3bf56fe1
- 1aaa01b528d2976fffd688729ee7012ad0828360a54f5ca70ec2f829f53bac2b
- 1ade5ab177524fd739c872fe3067559457b0929548ab9fce326464407d2fbd28
- 1b89a65a0ae4cdf3c49b96fa7c12bde75dbc61b7ea48843ae95d9e5fe64152c5
- 1bbbe1dd88dd9159d7fb3fce70ce7625e160dcbd04222eaec5aad077c252568e
- 1c1b229b5764897cbb4adb25c551a7b1d8afea4e9142b452f77bad7d0ad16f23
- 1d4dadae0c696fde2fef99eb99188509dc0d5fbac7ee07d4f0d5a92dcc922ad7
- 1da0e30b4b2ad2626a3f069f0f50f81d29b789d41385db26d7c84da3af02cd1c
- 1e46c88420c657c685786bee88f606d494f3d50bcbc616b0f64d2886edd572f2
- 1e62b7dcb503f47a6330c4dcfc49ea9d921b7d2f8c508769d27df04e61b9471d
- 1ea1d2915484b4a8008a0f2fd4669cc7b97fc50d982db5c54006c4069865a0ea
- 1ed6ee09296c7ba6c161ca44fe0af491f7b3cc7a6e042319f8e780417d852547
- 201eca94a9e8023d021a2b4a1517c4e46cd01e3be323bc46660c1c6f42aa6abf
- 2085fca368af15a1bd54f7809dfee7cdd4d73df7af88fa53fe5341f0523ca7ea
- 20fcff9826373d50abe813d3cb0272bf7b65617196cd4ac8d4646b8fd3256bea
- 21e916651f836d6d782239d245b15317ffb888e6a36ec92f21c25ab3d2df1584
- 228d1c80a92641c6ba9c9d1e68146e9bb66f02605135c2603db3ace692cc05f2
- 22f4a9680887f7bb3662c19372cbd2bae481e221e7da33ea85e12fe18b707434
- 2345a56d61e052af3265ee0fae47b22f1551ede4eee45bca30ad5fb9fac7a922
- 23b49eacd0218fecf057b306921c8fd55daa4bd4f2cd6a22532e19d44430daef
- 23ea5a7cf7aa211fe84d9fd87627c5714c8478f4089d5adf9054f12f2f68c8c5
- 24b52403ff652416c84afed7e12ece11dc59b07f7dba5f007e117a4cfc67c1ab
- 2510aa8736c5462e8784f1cf494716bb923f97645899c73c56ead1ff58b35499
- 2642e3ade0536a9454ae363740ca80fdd81695c9b0996bad1f00bbac9ed89f84
- 269c03e205c403ab8fa1033caa1c8e3a86a1495cc33a7f3a3a3c9b8a9ea77490
- 271e29fe8e23901184377ab5d0d12b40d485f8c404aef0bdcc4a4148ccbb1a1a
- 2782265ddd3a0d94d4f2622366b3401002dcfe1a9b99b7cbf6d5e824ff14d728
- 280a13f81f18f32d60efe7b887016c667eb19afb283efe62c907edddbfd89d7b
- 286bd20f3ea944703c8c87e66708d6b32046a640863afba7f3c4c72dc28d37d1
- 28832cd0d62fa39d634d2a62644e5c564a5b632498bdcc53c8fdf096fce7461f
- 29f92c93e5e54940bf33fd819f54df39870eb154d25c5c1ec37234026beb0a87
- 2a0fe07f25726078ea8731f21834f762383d8c93170d9d9dee03ab743e50d5c4
- 2a4e54d291f625621ea79ba493193ccb540e780eb3549e875ff9592ae56b2e6e
- 2a7ab147d9e7c7f5349f5f929a2f955fb03b376d29d02d5a41d5e6da31d7cdcf
- 2a7e456d2700ba13af48efdcf1f699bf51b6901a3ba5c80c009aaaca86235e5d
- 2a86583caf1e0821964a917e01370a214e845d91a299101ae265e943ca3e8a36
- 2b55c97acccf63c35af4e9fecdb45bf4b036962407bbafdf97850d12ac1829b9
- 2bbf54c841d544756afd8e82b766479a2a416769222ba151c757c7291357e858
- 2be931f008a9ea62aa35091eb9a5629824e81499ce7a5219101ccd39a02ecdec
- 2c02840073dd1c94028166d76b0cacc7d5e3f628df7f23da344ddee278002e16
- 2c5934db000a2838d42cf705453e29d16f4d4bb462fa65e134ce78b4266cefee
- 2db13b0cdede04b1b050744114e6c849e5e527b37bcd22984b265dff874dd411
- 2e30ded72e25e5e9cc5a3bed475c510a60f62415ba028c1256972c0054ecfc25
- 2e441f53eae0b3084b1911af40cc03f83cc3d0141baffebf00a82f677bd63682
- 2e4aa7777ba449071b90c0c13b803ddf6c6f10576eb9806acde6c3d1391db463
- 2e84de3408283423ed58764139eed4dd7e343115b943b58a46e2dc25ca2ef3c8
- 2f2277898f34a91a365f1a090d72678768c5e420c8350f340cc4b4602cd8a710
- 2f44a3fe5ad32b261a4df56c281b42ad7fbf9303713af9b26bbaeb894d246136
- 2f7aa05b16d870d34feb1faa62bbfb9c5cffd4a52ea094c66657887b7c7046d4
- 300de8919f8cb6bf0e428389a8a67d8021457a7e8e3afe618e6f859e57df9d54
- 30342a16d372ac11489c8b005a194213538942a86a38db0a5058505c4e769275
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.