Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент PLEAD
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
PLEAD
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)
ID: S0435
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 06 May 2020
Last Modified: 15 Apr 2022

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PLEAD has used HTTP for communications with command and control (C2) servers.(Citation: JPCert PLEAD Downloader June 2018)(Citation: TrendMicro BlackTech June 2017)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PLEAD has the ability to execute shell commands on the compromised host.(Citation: JPCert PLEAD Downloader June 2018)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.(Citation: TrendMicro BlackTech June 2017)(Citation: ESET PLEAD Malware July 2018)
Enterprise T1001 .001 Data Obfuscation: Junk Data

PLEAD samples were found to be highly obfuscated with junk code.(Citation: ESET PLEAD Malware July 2018)(Citation: TrendMicro BlackTech June 2017)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PLEAD has used RC4 encryption to download modules.(Citation: JPCert PLEAD Downloader June 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

PLEAD has the ability to delete files on the compromised host.(Citation: TrendMicro BlackTech June 2017)
Enterprise T1204 .001 User Execution: Malicious Link

PLEAD has been executed via malicious links in e-mails.(Citation: TrendMicro BlackTech June 2017)
.002 User Execution: Malicious File

PLEAD has been executed via malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)

Groups That Use This Software
ID Name References
G0098 BlackTech

(Citation: TrendMicro BlackTech June 2017) (Citation: JPCert PLEAD Downloader June 2018) (Citation: Trend Micro Waterbear December 2019) (Citation: Symantec Palmerworm Sep 2020)

References

  1. Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.
  2. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  3. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  4. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  5. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  6. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  7. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.