Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation state adversary

Friday 4 October 14:00 - 14:30, Red room

Alex Hinchliffe (Unit 42, Palo Alto Networks)



Discoveries of two malware families – HenBox for Android; and recently Farseer for Windows – with significant, mostly infrastructure-based overlaps with previously seen malware, such as 9002, PlugX, PIVY and FHAPPI, has led us towards what appears to be an undocumented nation-state group, or groups, in China whom we refer to as PKPLUG. The malware families, infrastructure, and campaign delivery used by PKPLUG highlights broad targeting of multiple sectors and victims in and around the South East Asia region and beyond. This research will detail some of the PKPLUG campaigns, describing the tooling used and, with MITRE's ATT&CK framework and other models that underpin Unit 42's Adversary Playbooks, highlight PKPLUG's behaviour with some overlapping TTPs.

 

 Related links

 

Alex-Hinchcliffe-web.jpg

Alex Hinchcliffe

Alex Hinchliffe is a threat intelligence analyst with Unit 42 at Palo Alto Networks. Based in EMEA, his main responsibilities include research into security threats and the groups behind them – their motivations, tactics, and resources – curating and enriching data to share threat intelligence with the community and wider public. He started his career as an intern at the then Dr Solomon's Anti-Virus Company in the United Kingdom. Almost two decades later, his research has largely focused on Windows and Android malware. He regularly speaks on these and related topics. While previously working for McAfee Labs Alex co-created the industry's first cloud-based anti-malware reputation system, Artemis, using DNS to decrease time to protection without signatures to help fight the huge growth in malicious threats.

@AlexHinchliffe


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Oops! It happened again!

Righard Zwienenberg (ESET)
Eddy Willems (G DATA)

Catch me if you can: detection of injection exploitation by validating query and API integrity

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

Keynote address: The security products we deserve

Haroon Meer (Thinkst)
Adrian Sanabria (Thinkst)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.