• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Crafted ZIP Files Bypass Secure Email Gateways to Drop Nanocore
November 7, 2019
Rewterz Threat Alert – Subpoena Malspam Campaigns Deliver Predator the Thief Malware
November 8, 2019

Rewterz Threat Alert – PKPLUG: Chinese Cyber Espionage Group Attacking Asia

November 7, 2019

Severity

Medium

Analysis Summary

Exactly a month ago PKPLUG was reported to be attacking Asia. Fresher indicators of compromise have been retrieved that suggest that the attack is still going on. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG. The additional payloads include HenBox, an Android app, and Farseer, a Windows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset of attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax. The goal of this threat actor seems to be installing backdoor Trojan implants on victim systems, including mobile devices. Tracking victims and gathering information is hence a key goal. The adversary is being linked to Chinese nation-state adversaries.

The attackers may also be exploiting CVE-2012-0158 that allows remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

Impact

  • Information Theft
  • Device Tracking

Indicators of Compromise

Domain Name

  • yahoomesseges[.]com
  • microsoftdefence[.]com
  • cdncool[.]com
  • outhmail[.]com
  • uyghurapps[.]net
  • tcpdo[.]net
  • microsoftwarer[.]com
  • logitechwkgame[.]com
  • update.queryurl[.]com
  • ppt.bodologetee[.]com
  • webserver.servehttp[.]com

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download/execute files attached in untrusted emails.
  • Keep all systems and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.