# JPCERT Coordination Center official Blog

**blogs.jpcert.or.jp/en/2020/11/elf-plead.html**

朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/)

November 16, 2020

## ELF_PLEAD - Linux Malware Used by BlackTech

[BlackTech](https://blogs.jpcert.or.jp/en/tags/blacktech/)

[Email](http://10.10.0.46/mailto:?subject=ELF_PLEAD%20-%20Linux%20Malware%20Used%20by%20BlackTech&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F11%2Felf-plead.html)

[In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack](https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html)
group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD
module for Windows which we introduced before has its Linux version (ELF_PLEAD) as well.
[This article describe the details of ELF_PLEAD in comparison to PLEAD module.](https://blogs.jpcert.or.jp/en/2018/05/linopid.html)

### Comparison between PLEAD Module and ELF_PLEAD

ELF_PLEAD and PLEAD module share many parts of the code, and most of the functions
including communication are similar. Figure 1 shows the comparison of the main functions of
PLEAD module and ELF_PLEAD.

Figure 1: Code

comparison of PLEAD module and ELF_PLEAD

(Left: PLEAD module / Right: ELF_PLEAD)
It is clear from the flow of processing that the two types of malware are quite similar. The
next sections will describe the features of ELF PLEAD from the following perspectives:


-----

Configuration
Communication protocol
Commands

### Configuration

ELF_PLEAD possesses its configuration with the size of 0x1AA. Figure 2 is an example of
configuration. It contains information such as C&C servers and an encryption key. (Please
see Appendix A for the details of configuration.)

Figure 2:

Configuration example
The configuration is RC4-encrypted, and the 32-byte string right before the encrypted
configuration is the encryption key itself. Figure 3 is an example of encrypted configuration
and its key.


-----

Figure 3: Encrypted

configuration and encryption key

### Communication protocol

While PLEAD module uses HTTP protocol to communicate with its C&C servers,
ELF_PLEAD uses its custom protocol. Besides the difference, the data format and the
method for exchanging the encryption key are almost the same. Figure 4 describes the flow
of communication that ELF_PLEAD performs.

Figure 4:

Communication flow of ELF_PLEAD
ELF_PLEAD exchanges a part of RC4 key at the time of first communication. After that, a
RC4 key generated by the exchange will be used for the communication that follows. The
data sent is RC4-encrypted and then LZO-compressed. (Please see Appendix B for the
details of communication protocol.)


-----

### Commands

ELF_PLEAD is equipped with 5 command groups as follows. (Please see Appendix C for the
details of command functions. The command number may vary in some samples.)

CFileManager (group number 0): commands for operation on files
CFileTransfer (group number 1): commands for sending/receiving files
CRemoteShell (group number 2): commands for remote shell
CPortForwardManager (group number 3): commands for proxy mode
No name (group number 0xFF): commands for malware control

Figure 5: Command

group names
It is clear that the functions are almost the same as [PLEAD module.](https://blogs.jpcert.or.jp/en/2018/06/plead-downloader-used-by-blacktech.html)

### In closing

It has been confirmed that BlackTech uses different kinds of malware including TSCookie,
PLEAD and KIVARS, which target Linux OS as well as Windows OS. If such malware is
found in your Windows environment, it is recommended to check your Linux environment as
well.

Shusei Tomonaga

(Translated by Yukako Uchida)

**Appendix A: ELF_PLEAD Configuration**

Table A: Configuration


-----

Offset Description Remarks

0x000 RC4 Key Used for encrypting communication

0x004 ID

0x024 Port number 1

0x026 Port number 2

0x028 Port number 3

0x02A C&C server 1

0x0AA C&C server 2

0x12A C&C server 3

Configuration format may vary in some samples.

**Appendix B: Contents of data exchanged**

Table B-1: Format of sent data

Offset Length Contents

0x00 4 RC4 Key (Key4)

0x04 4 Hash value

0x08 4 RC4 key (Key1)

0x0C 2 Length of data sent

0x0E 2 Length of data at offset 0x10 before compression

0x10 - Encrypted data (RC4 +LZO) (See Table A-2 for details.)

Table B-2: Format of encrypted data

Offset Length Contents

0x00 2 0xFF

0x02 4 RC4 key (Key2)

0x06 - Random data (at least 128 bytes)

Table B-3: Format of received data


-----

Offset Length Contents

0x00 4 RC4 key (Key4)

0x04 4 Hash value

0x08 4 RC4 key (Key1)

0x0C 2 Length of data sent

0x0E 2 Length of data at offset 0x10 before compression

0x10 - Encrypted data (RC4 +LZO) (See Table A-4 for details.)

Table B-4: Format of encrypted data in the received data

Offset Length Contents

0x00 2 0x01FF

0x02 4 RC4 key (Key3)

**Appendix C: ELF_PLEAD commands**

Table C-1: Commands without group name (group number 0xFF)

Value Contents

4 Send random data

5 Reconnect

6 Restart

7 End

8 End

9 Change socket

11 Change C2 server

Table C-2: Commands for CFileManager (group number 0)

Value Contents

32 Send list of files

37 Send file size, mode, timestamp


-----

39 Change file name

41 Delete file/directory

43 Upload file

45 Execute file

49 Create directory

51 Move file

53 Delete directory

Table C-3: Commands for CFileTransfer (group number 1)

Value Contents

64 Send file/directory information

67 Create directory

70 Download file

71 Send file information

75 Upload file

Table C-4: Commands for CRemoteShell (group number 2)

Value Contents

80 Launch remote shell

Table C-5: Commands for CPortForwardManager (group number 3)

Value Contents

96 Set up proxy

100 Connect proxy

102 Send proxy data

104 
106 
108 End proxy


-----

**Appendix D: C&C server**

mx.msdtc.tw

**Appendix E: Malware hash value**

5b5f8c4611510c11d413cb2bef70867e584f003210968f97e0c54e6d37ba8d8d
ca0e83440b77eca4d2eda6efd9530b49ffb477f87f36637b5e43f2e428898766

[Email](http://10.10.0.46/mailto:?subject=ELF_PLEAD%20-%20Linux%20Malware%20Used%20by%20BlackTech&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F11%2Felf-plead.html)

Author

朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/)

Since December 2012, he has been engaged in malware analysis and forensics
investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to
joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a
foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal,
Botconf, PacSec and FIRST Conference. JSAC organizer.

Was this page helpful?

0 people found this content helpful.

If you wish to make comments or ask questions, please use this form.

This form is for comments and inquiries. For any questions regarding specific commercial
products, please contact the vendor.

please change the setting of your browser to set JavaScript valid. Thank you!

## Related articles

Analysis of HUI Loader


-----

Anti-UPX Unpacking Technique

FAQ: Malware that Targets Mobile Devices and How to Protect Them

Malware WinDealer used by LuoYu Attack Group

Malware Gh0stTimes Used by BlackTech


[Back](https://blogs.jpcert.or.jp/en/2020/10/logontracer-1-5.html)
[Top](https://blogs.jpcert.or.jp/en/)
[Next](https://blogs.jpcert.or.jp/en/2020/12/cna-2cna.html)


-----