PlugX Threat in Myanmar spotted during crucial political period in Myanmar (+IOC)

A rise in PlugX activity has been seen in the Myanmar region. The PlugX malware is often delivered via spear-phishing attacks as we have seen in the 2012-2013 PlugX attacks. From online sources, we were able to retrieve the MD5 values of the PlugX malware which is active in Myanmar.

  • 69754b86021d3daa658da15579b8f08a
  • a30262bf36b3023ef717b6e23e21bd30
  • eeb631127f1b9fb3d13d209d8e675634
  • 5ee5df9a5f4d16de3f880740db884f69
  • 9aceefb76c2e227c651ef6a035461b5c
  • d0c5410140c15c8d148437f0f7eabcf7
  • d055518ad14f3d6c40aa6ced6a2d05f2
  • 1e36a853bc0b1d111ce726a508bc1a86
  • a1c0c364e02b3b1e0e7b8ce89b611b53

We did some research on the provided samples, and the following IPs popped up: 

  • – AMAZON
  • – GOOGLE
  • – CDN MESH is an host which is hosted on the Amazon network. The IP is hosted by Google and the IP is hosted by CDN Mesh.

But once we take a look at the first IP, and we take the domains which are provided by VirusTotal, we will see that the following domains have used the IP:

The IP which is from Google is used by the Google DoubleClick service. So it is possible that malvertisement was served via the Google ads, but it could also be a simple false positive.

The following domains pointed towards the IP in 2014:

The final IP which we have is which belongs to CDN Mesh, and it seems that the following domains which currently point towards are doing serious harm on the internet: