A rise in PlugX activity has been seen in the Myanmar region. The PlugX malware is often delivered via spear-phishing attacks as we have seen in the 2012-2013 PlugX attacks. From online sources, we were able to retrieve the MD5 values of the PlugX malware which is active in Myanmar.
We did some research on the provided samples, and the following IPs popped up:
- 22.214.171.124:80 – AMAZON
- 126.96.36.199:80 – GOOGLE
- 188.8.131.52:80 – CDN MESH
184.108.40.206:80 is an host which is hosted on the Amazon network. The 220.127.116.11 IP is hosted by Google and the 18.104.22.168 IP is hosted by CDN Mesh.
But once we take a look at the first IP, and we take the domains which are provided by VirusTotal, we will see that the following domains have used the 22.214.171.124 IP:
The 126.96.36.199 IP which is from Google is used by the Google DoubleClick service. So it is possible that malvertisement was served via the Google ads, but it could also be a simple false positive.
The following domains pointed towards the 188.8.131.52 IP in 2014:
- 2014-10-15 e.admob.com
- 2014-10-08 ads-bid.l.doubleclick.net
- 2014-10-08 pagead.l.doubleclick.net
- 2014-10-08 pagead46.l.doubleclick.net
The final IP which we have is 184.108.40.206 which belongs to CDN Mesh, and it seems that the following domains which currently point towards 220.127.116.11 are doing serious harm on the internet: