PLEAD's toolset includes the PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop-off points for exfiltrated documents stolen by DRIGO.
Both tool families were signed with a valid certificate signed by D-Link Corporation Code Signing Certificate, used to sign legitimate D-Link software.
Other samples found in the PLEAD campaign were signed with a Code Signing Certificate belonging to a Taiwanese security company named Changing Information Technology Inc.
|Enterprise||VT0021||Credentials from Password Stores|
|.003||Credentials from Web Browsers|
|Enterprise||VT0027||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||VT0009||.001||Obtain Capabilities: Code Signing Certificates||
PLEAD operators obtain or steal valid and legitimate certificates from Taiwanese companies to sign PLEAD tools
|Enterprise||VT0016||.002||Subvert Trust Controls: Code Signing||
PLEAD backdoor and information stealer are signed with stolen certificates from Taiwanese companies
Threat actors That Use This Tools
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
- Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- WeLiveSecurity (ESET), Certificates Stolen from Taiwanese Tech‑Companies Misused in Plead Malware Campaign
- TrendMicro, The Trail of BlackTech’s Cyber Espionage Campaigns
- Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
Created: 05 May 2021
Last Modified: 09 May 2021