Defending the White Elephant
Click here to download the full report that includes attack details, TTPs and indicators of compromise.
Myanmar is a country currently engaged in an important political process. A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor interest. The country is resource rich, with a variety of natural resources and a steady labor supply. Despite recent progress, the country is subject to ongoing conflict with ethnic rebels and an ongoing civil war. Analysts suggest that both China and the United States are vying for greater influence in Myanmar, with China in particular having geopolitical interest due to sea passages, port deals, and fuel pipelines that are important to its goals. Geopolitical analysts have suggested that the United States may have its own interests that involve thwarting Chinese ambitions in the region.
APT groups from multiple countries – including China – have been known to target organizations of strategic interest with aggressive malware-based espionage campaigns. One of the malware families used in such a scenario is the well-known Remote Access Trojan PlugX, also known as Korplug, that enables full access to the victim’s machine and network.
Multiple instances of PlugX and related downloader malware were recently observed to be hosted on a Myanmar government website. Arbor ASERT provided information to the Myanmar CERT to help remediate the situation at hand in early August of 2015. Now that the initial situation has been dealt with, we can release this information more widely. This report is not intended to be a comprehensive exposé on the entirety of the ongoing threat campaign(s), however information on threat actor TTP’s can help other organizations increase awareness that can lead to greater resistance to and better detection of such attack activity.
Initial investigation of malware properties has led to the discovery of a website compromise related to Myanmar elections that hosted PlugX malware. The apparent targeting of Myanmar discussed here is similar to the targeting disclosed by Palo Alto Networks in June 2015 of a strategic web compromise attack (aka “watering hole”) that leveraged the Evilgrab malware. Their research also indicates instances of the 9002 RAT being used on the same infrastructure, but they stopped short of naming a threat actor group. Due to the nature of the threat landscape, attribution can be quite difficult, especially when multiple threat actor groups are using the same malware that may be distributed from a centralized location. Regardless of the details of who is doing the attacking, knowing targets and TTP’s (tactics, techniques and procedures) can empower incident response staff with crucial data they might need to help defend against an adversary that is clearly resourceful and persistent.
Myanmar Government Site Distributing PlugX and Loader Malware
As of July 30, 2015, several instances of PlugX malware and related downloaders were stored on a webserver belonging to the government of Myanmar. Specifically, the Ministry of Information (MOI) site hosting content related to the Myanma Motion Picture Development Department (MMPDD). This is a classic example of a “watering hole” or Strategic Web Compromise style of attack.
Click here to download the full report from that includes attack details, TTPs and indicators of compromise.