PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]

ID: S0435
Type: MALWARE
Platforms: Windows
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 06 May 2020
Last Modified: 15 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PLEAD has used HTTP for communications with command and control (C2) servers.[2][1]

Enterprise T1010 Application Window Discovery

PLEAD has the ability to list open windows on the compromised host.[1][1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PLEAD has the ability to execute shell commands on the compromised host.[2]

Enterprise T1555 Credentials from Password Stores

PLEAD has the ability to steal saved passwords from Microsoft Outlook.[4]

.003 Credentials from Web Browsers

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[1][4]

Enterprise T1001 .001 Data Obfuscation: Junk Data

PLEAD samples were found to be highly obfuscated with junk code.[4][1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PLEAD has used RC4 encryption to download modules.[2]

Enterprise T1083 File and Directory Discovery

PLEAD has the ability to list drives and files on the compromised host.[1][2]

Enterprise T1070 .004 Indicator Removal: File Deletion

PLEAD has the ability to delete files on the compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

PLEAD has the ability to upload and download files to and from an infected host.[2]

Enterprise T1106 Native API

PLEAD can use ShellExecute to execute applications.[1]

Enterprise T1057 Process Discovery

PLEAD has the ability to list processes on the compromised host.[1]

Enterprise T1090 Proxy

PLEAD has the ability to proxy network communications.[2]

Enterprise T1204 .001 User Execution: Malicious Link

PLEAD has been executed via malicious links in e-mails.[1]

.002 User Execution: Malicious File

PLEAD has been executed via malicious e-mail attachments.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1][2][5][6]

References