Malware: PLEAD

Description

[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)

External References

• mitre-attack
• Trend Micro PLEAD RTLO
• TrendMicro BlackTech June 2017
• JPCert PLEAD Downloader June 2018
• JPCert TSCookie March 2018

Techniques Used by This Malware

• T1001.001 — Junk Data
• T1010 — Application Window Discovery
• T1057 — Process Discovery
• T1059.003 — Windows Command Shell
• T1070.004 — File Deletion
• T1071.001 — Web Protocols
• T1083 — File and Directory Discovery
• T1090 — Proxy
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1204.001 — Malicious Link
• T1204.002 — Malicious File
• T1555 — Credentials from Password Stores
• T1555.003 — Credentials from Web Browsers
• T1573.001 — Symmetric Cryptography

APT Groups Using This Malware

• BlackTech