Report: 'PKPLUG' Espionage Campaign Targets Southeast AsiaUnit 42 Researchers Describe Malware Attacks That May Have Ties to China
Threat actors that may have connections to China have been using a variety of malware in a series of information-gathering espionage campaigns across Southeast Asia since at least 2013, according to researchers at Palo Alto Networks' Unit 42 division.
See Also: Threat Briefing: Ransomware
Unit 42 Security researchers were able to pull together information they gathered over the past three years on several campaigns in the region with data from other cybersecurity vendors to create a picture of at least one group – that they label as "PKPLUG" - using malware to compromise mobile devices and others, according to a new Unit 42 report.
The researchers say they’re unsure of the group’s motives, although the use of backdoor Trojan implants indicates the bad actors want to track victims and gather information. Many of the Southeast Asian countries and regions targeted in the campaigns – including Myanmar, Taiwan, Vietnam, Idonesia, Mongolia, Tibet and Xinjiang - have tense relationships with China, which may explain why they are in the crosshairs of PKPLUG.
Along with the targeting, some of the malware used, and ties to infrastructure that has previously been linked to a Chinese group, has led Unit 42 researchers to concluded that PKPLUG may have ties to the China.
"At this stage, it's nearly impossible to speculate on whether geopolitics is playing a significant role in the campaigns," Alex Hinchliffe, threat intelligence analyst with Unit 42, tells Information Security Media Group. "But given the capabilities of the malware used, it's certainly espionage-motivated, which includes gathering information. We do not have visibility into what information has been gathered by the adversary, but in the case of the HenBox Android malware [used in some of the campaigns], we could understand the messaging apps targeted and the types of contact and message information that would have been gathered."
Tracking the Adversary
Unit 42, using its own research of the campaigns and that of others, including Blue Coat Labs and Arbor Networks, has been able to track the set of PKPLUG intrusion techniques back to at least 2013.
The researchers are unsure whether all this is the work of one group or several groups that use the same tools and the same goals. They write that the PKPLUG name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes "PK" in its header, hence "PKPLUG."
Unit 42 found that the attackers also were using mostly custom malware families beyond PlugX, including an Android app called HenBox and a Windows backdoor called Farseer. They also use the 9002 Trojan, which the researchers say is shared by a small subset of attack groups.
Publicly available malware used in PKPLUG campaigns include Poison Ivy and Zupdax, the research report notes.
In 2013, Blue Coat Labs researchers noted the use of PlugX in attacks in Mongolia, with a dynamic-link library side-loading technique used to launch the malicious payload through legitimate applications. The bad actors also used a malicious Word document saved as a Single File Web Page format to exploit a vulnerability known as CVE-2012-0158 and push the side-loading package and PlugX payload into the system.
Three years later, an Arbor Networks report indicated the use of the Poison Ivy malware in Myanmar and other Asian countries, with phishing emails using topics related to the Association of Southeast Asian Nations in weaponized documents to deliver the malware. Dynamic-link library side-loading also was used to install Poison Ivy.
In previous reports, Unit 42 described attacks using the 9002 Trojan that were delivered via Google Drive, with a spear-phishing email used to download a ZIP filed hosted on Google Drive. The ZIP file included a DLL side-loading package to load the 9002 payload. Unit 42 also last year discover the HenBox Android malware and found more than 400 related samples dating back to 2015. HenBox looks like legitimate Android apps and targets primarily the Chinese minority ethnic group Uyghurs that lives in Xinjiang. The malware also targets devices made by Xiaomi, a Chinese company.
"Smartphones are the dominant form of internet access in the region, and hence make good targets for such malware," the previous Unit 42 report said. "Once installed, HenBox steals information from a myriad of sources on the device including harvesting outgoing phone calls to numbers with an '+86' prefix - the country code for [China] - and accessing the device microphone and cameras."
A Hong Kong-based cybersecurity company called VKRL in 2017 found that attacks were using spear-phishing emails that had URLs using GeoCities Japan to deliver malware.
"The long history and series of custom tools certainly implies a persistent, well-resourced group," Unit 42’s Hinchliffe says. "Some malware seems ubiquitous when it's believed to relate to Chinese actors, including PlugX, Poison Ivy and others. This group seems to have created and used a custom Android malware - HenBox - we've not seen used elsewhere in our own data or published by other vendors. This may indicate their targets require unique attention based on prevalent operating systems used or that they need that capability generally. There could be a longer-term play here, or this is their sole objective. Either way, they show patience in what they work toward."
The nations and regions targeted by the PKPLUG campaigns all have complex relationships with China, which may explain some of the motivation behind the attacks, according to Unit 42.
Indonesia, Myanmar and Vietnam are members of the regional intergovernmental group Association of Southeast Asian Nations. Tibet and Xinjiang are autonomous regions of China that are mostly populated by ethnic minorities. And most of the countries targeted are involved with the Chinese government’s Belt and Road Initiative, a project aimed at connecting 71 Southeast Asian countries to Eastern Europe and Africa, the report notes.
Many of the nation’s targeted by PKPLUG also have disputes with China over fishing quotas, oil and gas reserves and South China Sea issues, the researchers point out. And Taiwan has had decades-long disputes with China.
"Knowing that the Chinese government likes to maintain control, it's entirely possible that this is an information-gathering operation solely to obtain leverage over neighboring regions and use that for future situations - be it economic or otherwise. But some of these campaigns could also have been executed to gain further access to networks and increase the adversary's foothold," Hinchliffe says.
In June and August, the group expanded its reach to Mongolia, and Unit 42 has seen the group use lure and social engineering techniques that could be targeting Vietnam and Pakistan.
"Pakistan was not on our target list for this group, but given the recent political events involving Kashmir [a disputed region between Pakistan and India] – which borders China - together with their involvement in the BRI, it's highly likely they would be another target," Hinchliffe says. "Given what we know about hackers backed by China and how they target a multitude of industries, it wouldn't be a surprise for this group or groups to expand beyond Asia down the line."