PLEAD is a remote access tool (RAT) and downloader active since 2012 and used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2]

In some cases PLEAD has been referred to as TSCookie, however some reports indicate that these are two separate tools.[3][2]

PLEAD's toolset includes the PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop-off points for exfiltrated documents stolen by DRIGO.

Both tool families were signed with a valid certificate signed by D-Link Corporation Code Signing Certificate, used to sign legitimate D-Link software.

Other samples found in the PLEAD campaign were signed with a Code Signing Certificate belonging to a Taiwanese security company named Changing Information Technology Inc.

Both certificates were likely stolen in a separate campaign in the preparation stages of the attack.[4][5][3][2]

Techniques Used

Domain ID Name Use
Enterprise VT0021 Credentials from Password Stores

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[6]

.003 Credentials from Web Browsers

PLEAD has the ability to steal saved credentials from web browsers.[1][6]

Enterprise VT0027 .001 Encrypted Channel: Symmetric Cryptography

PLEAD has used RC4 encryption to download modules.[2]

Enterprise VT0009 .001 Obtain Capabilities: Code Signing Certificates

PLEAD operators obtain or steal valid and legitimate certificates from Taiwanese companies to sign PLEAD tools

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

PLEAD backdoor and information stealer are signed with stolen certificates from Taiwanese companies

Threat actors That Use This Tools

ID Name References
VG0012 BlackTech





Created: 05 May 2021

Last Modified: 09 May 2021