Chinese cyberespionage group PKPLUG uses custom and off-the-shelf tools

Security researchers have linked various attack campaigns against organizations and ethnic groups in Asia to a single threat actor they believe is likely serving China’s geopolitical interests in the region and is connected to the country’s state-sponsored cyberespionage apparatus. Researchers from security firm Palo Alto Networks have been tracking attack campaigns launched by a group, or several closely connected groups, they’ve dubbed PKPLUG for the past three years. They’ve found links to older attack campaigns reported independently by other companies over the past six years. According to them, this is the first time all these attacks have been tied together under a single threat actor.

“We believe victims lay mainly in and around the Southeast Asia region, particularly Myanmar, Taiwan Vietnam, and Indonesia, and likely also in various other areas in Asia, such as Tibet, Xinjiang, and Mongolia,” the researchers said in a new report released today. “Based on targeting, content in some of the malware and ties to infrastructure previously documented publicly as being linked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar origins.”

PKPLUG uses a mixed bag of tools and techniques

What makes this group stand apart is its use of both off-the-shelf and custom-made malware tools. This includes publicly available Trojan programs like PlugX — from where the group’s name is derived — and Poison Ivy. One of PKPLUG’s common tactics is to deliver the PlugX malware inside a ZIP archive that has the “PK” ASCII in its header.

The group also makes heavy use of DLL side-loading to execute its malicious payloads. This type of attack occurs when a legitimate program searches for a DLL library by name in various locations, including the current folder, and automatically loads it in memory. If attackers replace the library with a malicious one, the malware will be loaded and executed instead. This decreases the payload’s chance of being detected, since the process that performs the loading is not malicious itself.

The group favors spear-phishing emails to deliver their payloads and use social engineering to trick users into opening attachments. However, some limited use of Microsoft Office exploits has also been observed and so has the use of malicious PowerShell scripts.

In addition to PlugX and Poison Ivy, PKPLUG has also used a Trojan called 9002 that is only shared by a small subset of attack groups, as well as a custom Windows backdoor that researchers have dubbed Farseer in the past and a malicious Android Trojan called HenBox that masquerades as legitimate applications. HenBox has not been distributed through Google Play, probably because Google Play is blocked in China, so many users there use third-party stores to install apps.

HenBox is designed to steal information from devices, including communications from chat and social media apps. It has been designed to target devices made by Xiaomi and their MIUI Android-based firmware.

HenBox was observed in PKPLUG attack campaigns against Uyghurs, a Turkic ethnic group that predominantly lives in Xinjiang, an autonomous territory in northwest China. Uyghurs, along with the Tibetan minority, have been frequent targets of Chinese state-sponsored attack campaigns over the years.

Geopolitical motives suspected for PKPLUG campaigns

According to Palo Alto, most of the targets of PKPLUG’s campaigns have had historical conflicts or tensions with the Chinese government over various projects, including the Belt and Road Initiative (BRI), a large China-led infrastructure project that aims to link countries in Asia, Europe and Africa. Competing territorial claims in the South China Sea also remain a source of disputes.

“It’s not entirely clear as to the ultimate objectives of PKPLUG, but installing backdoor Trojan implants on victim systems, including mobile devices, infers tracking victims and gathering information is a key goal,” the researchers said.

Along with its report, Palo Alto Networks plans to publish what they call an Adversary Playbook, an interactive overview of the group’s campaigns, targeting and attack patterns, complete with tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs). The information is also available for download in STIX 2.0 JSON format so that other organizations can import it into their own systems.

“Establishing a clear picture and understanding about a threat group, or groups, is virtually impossible without total visibility into every one of their attack campaigns,” the researchers said. “Based on this, applying a handle or moniker to a set of related data — such as network infrastructure, malware behavior, actor TTPs relating to delivery, exfiltration, etc. — helps us to better understand what it is we’re investigating. Sharing this information — with a handle, in this case PKPLUG — especially in a structured, codified manner a la Adversary Playbooks, should allow others to contribute their vantage points and enrich said data until the understanding of a threat group becomes lucid.”

While this threat actor seems to focus heavily on targets in Southeast Asia, threats rarely stay localized to particular regions, because victims can travel to different countries and have business relationships with multinational organizations. Furthermore, there is typically significant overlap in attack toolsets between various APT groups, especially nation-state ones from the same country who share resources and knowledge.