1. Home
  2. Software
  3. PLEAD

PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]

ID: S0435
Type: MALWARE
Platforms: Windows
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 06 May 2020
Last Modified: 15 April 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PLEAD has used HTTP for communications with command and control (C2) servers.[2][1]
Enterprise T1010 Application Window Discovery

PLEAD has the ability to list open windows on the compromised host.[1][1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PLEAD has the ability to execute shell commands on the compromised host.[2]
Enterprise T1555 Credentials from Password Stores

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[4]
.003 Credentials from Web Browsers

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[1][4]
Enterprise T1001 .001 Data Obfuscation: Junk Data

PLEAD samples were found to be highly obfuscated with junk code.[4][1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PLEAD has used RC4 encryption to download modules.[2]
Enterprise T1083 File and Directory Discovery

PLEAD has the ability to list drives and files on the compromised host.[1][2]
Enterprise T1070 .004 Indicator Removal: File Deletion

PLEAD has the ability to delete files on the compromised host.[1]
Enterprise T1105 Ingress Tool Transfer

PLEAD has the ability to upload and download files to and from an infected host.[2]
Enterprise T1106 Native API

PLEAD can use ShellExecute to execute applications.[1]
Enterprise T1057 Process Discovery

PLEAD has the ability to list processes on the compromised host.[1]
Enterprise T1090 Proxy

PLEAD has the ability to proxy network communications.[2]
Enterprise T1204 .001 User Execution: Malicious Link

PLEAD has been executed via malicious links in e-mails.[1]
.002 User Execution: Malicious File

PLEAD has been executed via malicious e-mail attachments.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1][2][5][6]

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  3. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  1. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  2. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  3. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.