{ "id": "1e9bb4bc-2cd6-43db-9f84-341b77b40caa", "created_at": "2026-04-06T00:18:17.523265Z", "updated_at": "2026-04-10T03:27:39.367671Z", "deleted_at": null, "sha1_hash": "47c64412c5ada2a14fcb56a230321fde32cb9acd", "title": "SectorM04 Targeting Singapore – An Analysis – Red Alert", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 603499, "plain_text": "SectorM04 Targeting Singapore – An Analysis – Red Alert\r\nArchived: 2026-04-05 17:15:11 UTC\r\nOverview\r\nOn or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth\r\ndatabase in Singapore where information on patients was stored. Multiple pieces and types of malware was used\r\nin this attack which took place over almost a year [1].\r\nIllustration using details from p.53 of the COI report\r\nOn 6th March, Symantec released a blog article [2] linking several pieces of malware and a threat group which we\r\nwill be tracking as SectorM04 to Singapore’s SingHealth breach last year. One such artifact we found an exact\r\nmatch on was the DLL Shellcode Loader which was referred to as Trojan.Vcrodat that is one of the files dropped\r\nas something which has characteristics of the PlugX RAT. The PlugX RAT is a RAT which has been used by\r\nmultiple threat groups, including one which was reported to have interests in the healthcare sector [3].\r\nDecoy (e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0)\r\nThe dropper for that file was in the form of a decoy executable/document and named as “PositionRequirement-SeniorCivilEngineer.doc.exe”. Opening this results in the Word document below being opened, and everything\r\nwill seem normal to the victim.\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 1 of 8\n\nDecoy document that is opened after executing the malware\r\nHowever, this is actually a trick because the malware uses a “.docx.exe” extension. The actual executable drops\r\nother files in the same folder – a legitimate signed executable, a malicious DLL file which abuses the DLL search\r\norder [4] from the executable, a compressed shellcode file, a simple batch script (a.bat) to clear its tracks, and a\r\nnormal Word document. The executable then executes the normal Word document, the batch script, and drops the\r\nremaining three files and executes the legitimate signed executable.\r\na.bat – a simple batch script to hide the tracks of the original EXE\r\n:Repeat\r\ndel [filepath]\\filename.docx.exe\r\nif exist [filepath]\\filename.docx.exe goto Repeat\r\nIf this was the RAT used for the initial infection, then it seems to reinforce the theory that one likely initial\r\ninfection vector was via spear phishing using a link or an archived file [1]. This is because using an exploit to\r\nautomatically run this dropper would not make sense as the malware also automatically opens a benign Word\r\ndocument which would arouse suspicion if it opened by itself.\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 2 of 8\n\nPlugX Trinity\r\nThose remaining three files are actually the three files in what other researchers have dubbed the PlugX Trinity [5]\r\n– a legitimate signed executable, a loader DLL, and a shellcode file.\r\nIn this example, while the legitimate signed executable was a file named adobe.exe it was actually an application\r\nfrom ESET. However, the attacker uses DLL side loading, and this “adobe.exe” file tries to load MSVCR110.dll\r\nwhich is a legitimate system DLL. But because of the way the DLL search order works, the system tries to find\r\nMSVCR110.dll from the directory from which the application loaded first, thus loading the attacker’s version of\r\nMSVCR110.dll.\r\nMSVCR110.dll is a tiny dll made up of exported functions which the real MSVCR110.dll should have. These\r\nexternal functions simply jump to the MSVCR90.dll when called, except for the “__crtGetShowWindowMode”\r\nfunction which calls the malicious function. The malicious function will proceed to read the MSVCR110.dat\r\nshellcode file into memory and decompress the buffer using RtlDecompressBuffer under the\r\nCOMPRESSION_FORMAT_LZNT1 scheme, a method seen since early days of the PlugX RAT [6], and further\r\nunpack the shellcode. Throughout the unpacking process, it makes use of its Process Environment Block (PEB) to\r\nparse the PEB_LDR_DATA structure for getting addresses of functions and libraries it wants to use.\r\nWhen starting, this malware uses the Global mutex named “eeclnt”. It will run another copy of itself with the\r\narguments “258”, and this copy will run %windir%\\system32\\msiexec.exe as it disables WOW64 redirection.\r\nThe created msiexec.exe will be started with the flags 0x434 which among other things starts the process in a\r\nsuspended mode and command line arguments “259”, then performs process injection so that the malware is\r\nrunning as msiexec.exe.\r\n \r\nPersistence\r\n  In order to persist on a system, the malware makes use of %APPDATA%\\Windows folder, setting the folder\r\nattributes to HIDDEN | SYSTEM and moving MSVCR110.dll, MSVCR110.dat, and eeclnt.exe (renamed from\r\nadobe.exe) there. It stores this new location of the shellcode file (MSVCR110.dat) in an environment variable\r\n“%UI00%” and the location of the DLL file (MSVCR110.dll) in an environment variable “%UI01%”.\r\nThere are two persistence mechanisms it makes use of:\r\n1. Service with service name and display name set to “WanServer”, which starts\r\n%APPDATA%\\Windows\\eeclnt.exe with the command line arguments “260”. The service description used\r\nis “Network for this computer. If this service is stopped, these functions will be unavailable.”, which is a\r\ngeneric sounding but unique description for this malicious service.\r\n2. If the service failed to be created, most likely due to insufficient privileges, then the malware would make\r\nuse of the standard run registry key located at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nwith key “eeclnt” and value %APPDATA%\\Windows\\eeclnt.exe with the command line arguments “260”.\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 3 of 8\n\nCommand\r\nLine\r\nDescription\r\nNULL Re-run with arguments “258” and continue\r\n“258” / “260”\r\nRun %windir%\\system32\\msiexec.exe with arguments “259” or “261” respectively in\r\nsuspended mode and inject itself into it\r\n“259”\r\nCreate persistence via service / run registry key and run itself as “eeclnt.exe” with\r\narguments “260”\r\n“261” Run normally, including C2 communications.\r\nC2 Beacon\r\n  The malware beacons using a legitimate HTTPS POST on port 443 to “/login.asp?id=%d” where %d is the\r\nvictim identifier using the user-agent “User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)” via\r\nWinINet.dll’s HttpSendRequestA. If the configuration uses a different port, then the request is done via HTTP.\r\n \r\nHooking\r\n  The malware manually sets inline hooks on SspiCli.dll’s AcquireCredentialsHandleA function if running on\r\nWindows 10. AcquireCredentialsHandleA is actually a function normally called from secur32.dll, which then\r\nforwards the API call to SspiCli.dll. Before performing the actual function, the inline hook will use the process\r\ntoken from explorer.exe and perform ImpersonateLoggedOnUser() with that token, which is a trick we are seeing\r\nfor the first time and seems to be for UAC bypass.\r\nThe malware also manually sets inline hooks on WSs2_32.dll’s closesocket and shutdown functions. Before\r\nperforming the closesocket function, the inline hook will perform “setsockopt(socket, SOL_SOCKET,\r\nSO_DONTLINGER, 0, 4)” and on shutdown, the inline hook will simply return from the function instead.\r\n \r\nInformation Collected\r\n  The malware mainly collects the following information from the system automatically:\r\nMajor, minor, and build OS versions\r\nNetBIOS Name\r\nMAC Address\r\nLogged on user name\r\n \r\nOther PlugX Capabilities\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 4 of 8\n\nSimilar to previous PlugX variants [7], this version zeroes out its entire PE header (without that false “XV”\r\nheader), together with other certain other PE sections we presume the attacker did not want others to see.\r\nFinally, besides this technical analysis, it is important to remember that PlugX in general has reverse shell\r\ncapabilities and typically has additional modules which might be either decrypted or downloaded as shellcode [8].\r\nSummary\r\nWhile we cannot be sure of the SectorM04’s motives, healthcare data is information that has a lot of potential for\r\nintelligence gathering with the most obvious being used for blackmail. They have shown their willingness, ability,\r\nand patience to compromise their targets, of which Singapore appears to be one of the bigger ones. As is the case\r\nfor many nation state threat actor groups, it is important to remember that cyber is only one part of an intelligence\r\noperation.\r\nATT\u0026CK Matrix\r\nInitial Access\r\nSpearphishing Attachment\r\nValid Accounts\r\nExecution\r\nCommand-Line Interface\r\nPowerShell\r\nRegsvr32\r\nRundll32\r\nScripting\r\nUser Execution\r\nPersistence\r\nAppInit DLLs\r\nDLL Search Order Hijacking\r\nOffice Application Startup\r\nValid Accounts\r\nPrivilege Escalation\r\nAppInit DLLs\r\nDLL Search Order Hijacking\r\nExploitation for Privilege Escalation\r\nValid Accounts\r\nDefense Evasion\r\nDLL Side-Loading\r\nIndicator Removal from Tools\r\nIndicator Removal on Host\r\nProcess Hollowing\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 5 of 8\n\nRegsvr32\r\nRundll32\r\nScripting\r\nValid Accounts\r\nCredential Access\r\nCredential Dumping\r\nCredentials in Files\r\nLateral Movement\r\nPass the Ticket\r\nRemote Desktop Protocol\r\nRemote File Copy\r\nCollection\r\nData Staged\r\nCommand and Control\r\nRemote File Copy\r\nExfiltration\r\nExfiltration over Command and Control Channel\r\nIndicators of Compromise (IoCs)\r\nPlugX Trinity Hashes (SHA-256)\r\nPlugX RAT Full Dropper\r\ne9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0\r\nPlugX Trinity – Legitimate signed executables\r\nfafb6ffd3ffcf414b702354f62a5216351af4566ed61ece7784846a6938bb8d9\r\n36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683\r\nPlugX Trinity – Malicious DLLs which are used to abuse search order\r\nCACEA09B3A5839B0A158F49B4EFEC2A698DB8688F57A92CBA61F287A1619833E\r\nED3CD71EACA603A00E4C0804DC34D84DC38C6C1E1C1F43AF0568FB162C44C995\r\n3B86CF2DEB6524D556AB0109B39A31AEDE3D0ACE423C94FD72DEFD6AB592A3AB\r\nD784A12FEC628860433C28CAA353BB52923F39D072437393629039FA4B2EC8AD\r\n6e874ac92c7061300b402dc616a1095fa7d13c8a18c8a3ea5b30ffa832a7372c\r\nPlugX Trinity – Shellcode files\r\n2201C3AC955148A078D366DC1E9F552FCA4A872756D3B6DA93494CDE8D5DECD5\r\n5664334F2DE563B9F8978B7E33AED4526F96D6D9751F1204D7FBBF659C4F0F7B\r\n \r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 6 of 8\n\nOther Hashes (SHA-256)\r\nAnother RAT Used\r\nb2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9\r\nc83651940e90fd315f29fa878e96b9e1f624c840c09c187b376cffdd4c7dcd79\r\n6a633b83987dc01ec30d07b56e8a8b632dcb8ad40602e7036648cd70cdfb9fde\r\n9c2a0f30d49b70a9e81461c91e26ede52b9b65da4d44b7f81299914497203f29\r\n552cc8f42953ece5f69cd8c75dd9af3c059d10327ac6b75e4922f01572d4b7b7\r\nOthers\r\n9d9a6337c486738edf4e5d1790c023ba172ce9b039df1b7b9720ed4c4c9ade90\r\n93c9310f3984d96f53f226f5177918c4ca78b2070d5843f08d2cf351e8c239d5\r\ndda22de8ad7d807cdac8c269b7e3b35a3021dcbff722b3d333f2a12d45d9908d\r\nf562e9270098851dc716e3f17dbacc7f9e2f98f03ec5f1242b341baf1f7d544c\r\na196dfe4ef7d422aadf1709b12511ae82cb96aad030422b00a9c91fb60a12f17\r\n \r\nNetwork information\r\nDomains\r\napi[.]edu-us[.]tk\r\napi[.]officeonlinetool[.]com\r\nnews[.]singmicrosoft[.]ga\r\napi[.]micsoftoffice[.]ga\r\nIP Addresses\r\n195[.]20[.]45[.]94\r\n64[.]20[.]227[.]134\r\n50[.]63[.]202[.]51\r\n192[.]71[.]247[.]131\r\n158[.]255[.]4[.]177\r\n \r\nReferences\r\n[1] https://www.mci.gov.sg/coireport\r\n[2] https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore\r\n[3] https://www.kaspersky.com/about/press-releases/2018_chinese-speaking-apt-actor-caught-spying-on-pharmaceutical-organizations\r\n[4] https://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order#standard-search-order-for-desktop-applications\r\n[5] https://citizenlab.ca/2012/09/human-rights-groups-targeted-by-plugx-rat/\r\n[6] https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 7 of 8\n\n[7] https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/\r\n[8] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii.html\r\nSource: https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nhttps://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/" ], "report_names": [ "sectorm04-targeting-singapore-custom-malware-analysis" ], "threat_actors": [ { "id": "ad5c6ff2-0646-4b29-88bb-d88c75e4866d", "created_at": "2022-10-25T15:50:23.662882Z", "updated_at": "2026-04-10T02:00:05.385067Z", "deleted_at": null, "main_name": "Whitefly", "aliases": [ "Whitefly" ], "source_name": "MITRE:Whitefly", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "cd9f8d91-c55c-4086-a1a0-23e78d194d46", "created_at": "2023-01-06T13:46:38.943454Z", "updated_at": "2026-04-10T02:00:03.153969Z", "deleted_at": null, "main_name": "Whitefly", "aliases": [], "source_name": "MISPGALAXY:Whitefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "df9bfbf1-bb9d-492f-b381-95b9e1482267", "created_at": "2022-10-25T16:07:24.394491Z", "updated_at": "2026-04-10T02:00:04.973663Z", "deleted_at": null, "main_name": "Whitefly", "aliases": [ "ATK 83", "Bronze Walker", "G0103", "G0107", "Mofang", "SectorM04", "TEMP.Mimic" ], "source_name": "ETDA:Whitefly", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Nibatad", "Shim RAT", "ShimRAT", "Vcrodat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434697, "ts_updated_at": 1775791659, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47c64412c5ada2a14fcb56a230321fde32cb9acd.pdf", "text": "https://archive.orkl.eu/47c64412c5ada2a14fcb56a230321fde32cb9acd.txt", "img": "https://archive.orkl.eu/47c64412c5ada2a14fcb56a230321fde32cb9acd.jpg" } }