A rise in PlugX activity has been seen in the Myanmar region. The PlugX malware is often delivered via spear-phishing attacks as we have seen in the 2012-2013 PlugX attacks. From online sources, we were able to retrieve the MD5 values of the PlugX malware which is active in Myanmar.
We did some research on the provided samples, and the following IPs popped up:
- 18.104.22.168:80 – AMAZON
- 22.214.171.124:80 – GOOGLE
- 126.96.36.199:80 – CDN MESH
188.8.131.52:80 is an host which is hosted on the Amazon network. The 184.108.40.206 IP is hosted by Google and the 220.127.116.11 IP is hosted by CDN Mesh.
But once we take a look at the first IP, and we take the domains which are provided by VirusTotal, we will see that the following domains have used the 18.104.22.168 IP:
The 22.214.171.124 IP which is from Google is used by the Google DoubleClick service. So it is possible that malvertisement was served via the Google ads, but it could also be a simple false positive.
The following domains pointed towards the 126.96.36.199 IP in 2014:
- 2014-10-15 e.admob.com
- 2014-10-08 ads-bid.l.doubleclick.net
- 2014-10-08 pagead.l.doubleclick.net
- 2014-10-08 pagead46.l.doubleclick.net
The final IP which we have is 188.8.131.52 which belongs to CDN Mesh, and it seems that the following domains which currently point towards 184.108.40.206 are doing serious harm on the internet: