S0435 PLEAD
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.23 PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.43
| Item | Value |
|---|---|
| ID | S0435 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 06 May 2020 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | PLEAD has used HTTP for communications with command and control (C2) servers.32 |
| enterprise | T1010 | Application Window Discovery | PLEAD has the ability to list open windows on the compromised host.22 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | PLEAD has the ability to execute shell commands on the compromised host.3 |
| enterprise | T1555 | Credentials from Password Stores | PLEAD has the ability to steal saved passwords from Microsoft Outlook.5 |
| enterprise | T1555.003 | Credentials from Web Browsers | PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.25 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | PLEAD samples were found to be highly obfuscated with junk code.52 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | PLEAD has used RC4 encryption to download modules.3 |
| enterprise | T1083 | File and Directory Discovery | PLEAD has the ability to list drives and files on the compromised host.23 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | PLEAD has the ability to delete files on the compromised host.2 |
| enterprise | T1105 | Ingress Tool Transfer | PLEAD has the ability to upload and download files to and from an infected host.3 |
| enterprise | T1106 | Native API | PLEAD can use ShellExecute to execute applications.2 |
| enterprise | T1057 | Process Discovery | PLEAD has the ability to list processes on the compromised host.2 |
| enterprise | T1090 | Proxy | PLEAD has the ability to proxy network communications.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | PLEAD has been executed via malicious links in e-mails.2 |
| enterprise | T1204.002 | Malicious File | PLEAD has been executed via malicious e-mail attachments.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0098 | BlackTech | 2367 |
References
-
Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019. ↩
-
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. ↩↩↩↩↩↩↩↩↩
-
Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. ↩
-
Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020. ↩↩↩
-
Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. ↩
-
Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022. ↩