Drawing on three years of investigatory work, researchers have assembled a detailed playbook on PKPLUG, a suspected Chinese threat actor targeting Asians with an assortment of malware used for cyber espionage purposes.

The authors of this playbook – members of Palo Alto Networks threat research group Unit 42 – were able to connect PKPLUG to attacks that were documented as far back as six years ago. Customized malware programs associated with this threat group include the PlugX remote access trojan, the Android malware HenBox, the Windows backdoor Farseer, the 9002 RAT. PKPLUG is also tied to the publicly available Poison Ivy RAT and Zupdax backdoor.

Unit 42 is not entirely certain that PKPLUG is a single threat actor or several groups sharing the same TTPs. However, the researchers have assessed with high confidence that it has Chinese nation-state backing.

Indeed, PKPLUG’s main targets are Myanmar, Taiwan, Vietnam, Indonesia, Tibet, Xinjiang and Mongolia – all countries, provinces or regions in Southeast Asia that are of interest to China in one way or another, whether they are members of the Association of Southeast Asian Nations (ASEAN), autonomous zones the government wishes to keep tabs on, involved in Beijing’s Belt and Road Initiative to connect Southeast Asia with Eastern Europe and Africa, or in conflict over South China Sea territorial claims.

“It’s not entirely clear as to the ultimate objectives of PKPLUG, but installing backdoor Trojan implants on victim systems, including mobile devices, infers tracking victims and gathering information is a key goal,” states Alex Hinchliffe, threat intelligence analyst, EMEA, in a blog post detailing the playbook’s contents.

According to Unit 42, the earliest confirmed PKPLUG activity was reported by Blue Coat Labs November 2013 and involved a PlugX campaign launched against Mongolian targets. In this particular attack, the actors used weaponized Word documents saved as a Single File Web Page (MHT file) to execute an exploit that drops a WinRAR SFX archive containing both PlugX and a DLL side-loading package. PlugX malware was actually identified for the first time back in 2012.

Flash forward to February 2019, when Unit 42 reported its discovery of Farseer, a backdoor program delivered via DLL side-loading. Farseer is designed to compromise Windows users and act as a cyberespionage tool that beacons to the attackers’ command-and-control servers for instructions. The Farseer activity included decoy documents containing political news pertaining to Myanmar – although the researchers also believe PKPLUG has targeted Mongolia with this malware.

Between November 2013 and February 2019, Palo Alto Networks has identified an additional four reports by various research groups that point to even more apparent PKPLUG activity. According to Unit 42, these various campaigns have exhibited several key commonalities that suggest the same actor was involved, including shared domain names and IP addresses, and similar malicious traits including program runtime behaviors and static code characteristics.