1. Home
  2. Software
  3. PLEAD

PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]

ID: S0435
Type: MALWARE
Platforms: Windows
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 06 May 2020
Last Modified: 15 April 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[4]
.003 Credentials from Web Browsers

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[1][4]
Enterprise T1090 代理

PLEAD has the ability to proxy network communications.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

PLEAD has used RC4 encryption to download modules.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

PLEAD has the ability to execute shell commands on the compromised host.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

PLEAD has used HTTP for communications with command and control (C2) servers.[2][1]
Enterprise T1010 应用窗口发现

PLEAD has the ability to list open windows on the compromised host.[1][1]
Enterprise T1001 .001 数据混淆: Junk Data

PLEAD samples were found to be highly obfuscated with junk code.[4][1]
Enterprise T1083 文件和目录发现

PLEAD has the ability to list drives and files on the compromised host.[1][2]
Enterprise T1106 本机API

PLEAD can use ShellExecute to execute applications.[1]
Enterprise T1204 .001 用户执行: Malicious Link

PLEAD has been executed via malicious links in e-mails.[1]
.002 用户执行: Malicious File

PLEAD has been executed via malicious e-mail attachments.[1]
Enterprise T1070 .004 移除指标: File Deletion

PLEAD has the ability to delete files on the compromised host.[1]
Enterprise T1105 输入工具传输

PLEAD has the ability to upload and download files to and from an infected host.[2]
Enterprise T1057 进程发现

PLEAD has the ability to list processes on the compromised host.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1][2][5][6]

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  3. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  1. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  2. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  3. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.