PlugX Threat in Myanmar spotted during crucial political period in Myanmar (+IOC)

A rise in PlugX activity has been seen in the Myanmar region. The PlugX malware is often delivered via spear-phishing attacks as we have seen in the 2012-2013 PlugX attacks. From online sources, we were able to retrieve the MD5 values of the PlugX malware which is active in Myanmar.

  • 69754b86021d3daa658da15579b8f08a
  • a30262bf36b3023ef717b6e23e21bd30
  • eeb631127f1b9fb3d13d209d8e675634
  • 5ee5df9a5f4d16de3f880740db884f69
  • 9aceefb76c2e227c651ef6a035461b5c
  • d0c5410140c15c8d148437f0f7eabcf7
  • d055518ad14f3d6c40aa6ced6a2d05f2
  • 1e36a853bc0b1d111ce726a508bc1a86
  • a1c0c364e02b3b1e0e7b8ce89b611b53

We did some research on the provided samples, and the following IPs popped up: 

  • 54.225.114.189:80 – AMAZON
  • 173.194.67.156:80 – GOOGLE
  • 198.232.124.224:80 – CDN MESH

54.225.114.189:80 is an host which is hosted on the Amazon network. The 173.194.67.156 IP is hosted by Google and the 198.232.124.224 IP is hosted by CDN Mesh.

But once we take a look at the first IP, and we take the domains which are provided by VirusTotal, we will see that the following domains have used the 54.225.114.189 IP:

The 173.194.67.156 IP which is from Google is used by the Google DoubleClick service. So it is possible that malvertisement was served via the Google ads, but it could also be a simple false positive.

The following domains pointed towards the 173.194.67.156 IP in 2014:

The final IP which we have is 198.232.124.224 which belongs to CDN Mesh, and it seems that the following domains which currently point towards 198.232.124.224 are doing serious harm on the internet: