Exactly a month ago PKPLUG was reported to be attacking Asia. Fresher indicators of compromise have been retrieved that suggest that the attack is still going on. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG. The additional payloads include HenBox, an Android app, and Farseer, a Windows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset of attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax. The goal of this threat actor seems to be installing backdoor Trojan implants on victim systems, including mobile devices. Tracking victims and gathering information is hence a key goal. The adversary is being linked to Chinese nation-state adversaries.
The attackers may also be exploiting CVE-2012-0158 that allows remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”