Multiple cyber-espionage campaigns that remained unattributed over the years have now been linked to a single threat actor that researchers named PKPLUG, attacking targets across Asia.

The adversary has been active for at least six years and relies on an assortment of custom-made and publicly available malware. Some of the tools used were observed in campaigns from other attack groups.

Researchers at Palo Alto Networks' Unit 42 saw the adversary deliver the PlugX backdoor as well as HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy remote access tool.

Scattered campaigns

The name PKPLUG comes from the actor using PlugX inside ZIP archives, which are identifiable by the ASCII magic bytes "PK" in the header.

The researchers determined that PKPLUG was responsible for a campaign in November 2013 described by Blue Coat Labs (acquired by Symantec) to target Mongolian individuals with PlugX.

Three years later, Arbor Network reported Poison Ivy being used in an attack against targets in Myanmar and other countries in Asia, which Unit 42 now attributes to PKPLUG.

Starting 2016, Unit 42 researchers found additional campaigns from the same group aimed at individuals from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan.

PKPLUG documented attacks

Infrastructure overlap

The researchers found infrastructure overlaps for the different campaigns as well as between the malware families used by the adversary.

PKPLUG reused domain names and IP addresses and program runtime behaviors or static code characteristics helped strengthen the connections.

The tracks the attacker left behind are clear. In at least four of the six apparently unrelated campaigns documented by multiple security outfits, a shared set of IP addresses was used for malware communication with the command and control (C2) servers.

Furthermore, the same registrant is listed for various domain names hosted at those addresses. A simplified diagram shows these connections, although overlapping goes well beyond this.

While Unit42 was able to link the campaigns to a single actor, the researchers are not sure if they are the work of on threat actor group or more that share the same tools of the trade.

Based on the type of malware used, the objective of these cyber operations seems to be tracking victims and collecting information from them.

The researchers believe with a high degree of confidence that PKPLUG is connected to Chinese nation-state adversaries, a conclusion inferred from the type of the targets, operational area, and the content in some malware pieces.