A rise in PlugX activity has been seen in the Myanmar region. The PlugX malware is often delivered via spear-phishing attacks as we have seen in the 2012-2013 PlugX attacks. From online sources, we were able to retrieve the MD5 values of the PlugX malware which is active in Myanmar.
We did some research on the provided samples, and the following IPs popped up:
- 220.127.116.11:80 – AMAZON
- 18.104.22.168:80 – GOOGLE
- 22.214.171.124:80 – CDN MESH
126.96.36.199:80 is an host which is hosted on the Amazon network. The 188.8.131.52 IP is hosted by Google and the 184.108.40.206 IP is hosted by CDN Mesh.
But once we take a look at the first IP, and we take the domains which are provided by VirusTotal, we will see that the following domains have used the 220.127.116.11 IP:
The 18.104.22.168 IP which is from Google is used by the Google DoubleClick service. So it is possible that malvertisement was served via the Google ads, but it could also be a simple false positive.
The following domains pointed towards the 22.214.171.124 IP in 2014:
- 2014-10-15 e.admob.com
- 2014-10-08 ads-bid.l.doubleclick.net
- 2014-10-08 pagead.l.doubleclick.net
- 2014-10-08 pagead46.l.doubleclick.net
The final IP which we have is 126.96.36.199 which belongs to CDN Mesh, and it seems that the following domains which currently point towards 188.8.131.52 are doing serious harm on the internet: