PKPLUG: Researchers at the Palo Alto Unit 42 group have released what they are calling a playbook on the group PKPLUG, dating attacks back almost six years. It is still not known if the suspected Chinese-backed PKPLUG is a single threat actor or several groups sharing the same tactics, techniques, and procedures (TTPs). Nonetheless, PKPLUG is known for using malware and other known programs to create backdoors into their victims’ mobile devices and computers. The group is known to use the PlugX remote access trojan (RAT), Android malware called HenBox, the 9002 RAT, Poison Ivy RAT, Zupax backdoor, and most recently a Windows backdoor called Farseer. The main targets for these attacks include people in Myanmar, Vietnam, Indonesia, Taiwan, Tibet, all the Mongolian countries, Xinjiang, and other provinces in southeast Asia that are of interest to the Government of China.
Analyst Notes
Though tracking the victims may not be the main goal of PKPLUG, installing backdoors on devices, especially mobile devices, makes it highly likely that they are trying to track their victims. Every campaign that was seen between November 2013 and now contain several commonalities, which is what lead Unit 42 to believe that this was all the work of the same group, or that China is backing multiple groups to carry out the mission.
