PLEAD Campaign Attacks Taiwan Ministries

More than having to deal with existing political issues in the news, the Taiwanese government is sidetracked with another challenge yet again with the arrival of the PLEAD targeted campaign.

The PLEAD campaign is the second attack to target entities in Taiwan in the first half of 2014. Taiwanese agencies were also targeted in May using a Microsoft Word zero-day vulnerability.

Research is ongoing as to who exactly are affected, who are controlling the servers, and who are using the malware tools in the PLEAD campaign. Recent findings show that that the attacks related to this campaign have been around since 2012.

The campaign gained the moniker “PLEAD” in reference to the backdoor commands that the malware issues. Like typical backdoor programs, malware related to PLEAD can use vulnerabilities to open up a computer to remote commands from attackers.

PLEAD enters systems via aggressive email campaigns aimed at personalities in Taiwan’s ministries. Sporting the previously used “right to left override” (RTLO) technique to disguise executable files, PLEAD takes the extra step to lure unknowing government employees into thinking they’re downloading work-related documents.

Once inside, this campaign is set to attack a flaw in the system so it can remotely command it to perform get information from the computer, check the computer settings, list the names of each drive, and even steal and delete files.

Spear-phishing emails have long been one of an attackers’ most favored means of entering a target network. Attackers do this by using popular online search results to find out which specific topic can be best used to target a specific target employee or agency. Spear-phishing emails coupled with file-cloaking devices like RTLO create a scenario where unknowing targets can easily become doors to the whole network.

This how it was done in the case of PLEAD. The amount of research undertaken before the attack is apparent if one looks at a sample email sent out by the campaign. The message tricks employees into downloading a .ZIP file that supposedly contains reference materials for a technical consultant conference, something only target personalities would be interested in. In reality, what the target is going to get from the download is an executable file masked as a regular document and a decoy file to make the download look more real.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.