{ "id": "479a5a6b-33cf-487b-9e70-0d3961c55567", "created_at": "2026-04-06T00:10:24.85567Z", "updated_at": "2026-04-10T03:32:09.411091Z", "deleted_at": null, "sha1_hash": "f7eced39802e8636248b5e0caaf653f00798f91a", "title": "ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1029805, "plain_text": "ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC\r\nEyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2020-11-15 · Archived: 2026-04-05 21:47:06 UTC\r\nNovember 16, 2020\r\nBlackTech\r\nIn a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This\r\ngroup also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced\r\nbefore has its Linux version (ELF_PLEAD) as well. This article describe the details of ELF_PLEAD in\r\ncomparison to PLEAD module.\r\nComparison between PLEAD Module and ELF_PLEAD\r\nELF_PLEAD and PLEAD module share many parts of the code, and most of the functions including\r\ncommunication are similar. Figure 1 shows the comparison of the main functions of PLEAD module and\r\nELF_PLEAD.\r\nFigure 1: Code comparison of PLEAD module and ELF_PLEAD\r\n(Left: PLEAD module / Right: ELF_PLEAD)\r\nIt is clear from the flow of processing that the two types of malware are quite similar. The next sections will\r\ndescribe the features of ELF_PLEAD from the following perspectives:\r\nConfiguration\r\nCommunication protocol\r\nCommands\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 1 of 9\n\nConfiguration\r\nELF_PLEAD possesses its configuration with the size of 0x1AA. Figure 2 is an example of configuration. It\r\ncontains information such as C\u0026C servers and an encryption key. (Please see Appendix A for the details of\r\nconfiguration.)\r\nFigure 2: Configuration example\r\nThe configuration is RC4-encrypted, and the 32-byte string right before the encrypted configuration is the\r\nencryption key itself. Figure 3 is an example of encrypted configuration and its key.\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 2 of 9\n\nFigure 3: Encrypted configuration and encryption key\r\nCommunication protocol\r\nWhile PLEAD module uses HTTP protocol to communicate with its C\u0026C servers, ELF_PLEAD uses its custom\r\nprotocol. Besides the difference, the data format and the method for exchanging the encryption key are almost the\r\nsame. Figure 4 describes the flow of communication that ELF_PLEAD performs.\r\nFigure 4: Communication flow of ELF_PLEAD\r\nELF_PLEAD exchanges a part of RC4 key at the time of first communication. After that, a RC4 key generated by\r\nthe exchange will be used for the communication that follows. The data sent is RC4-encrypted and then LZO-compressed. (Please see Appendix B for the details of communication protocol.)\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 3 of 9\n\nCommands\r\nELF_PLEAD is equipped with 5 command groups as follows. (Please see Appendix C for the details of command\r\nfunctions. The command number may vary in some samples.)\r\nCFileManager (group number 0): commands for operation on files\r\nCFileTransfer (group number 1): commands for sending/receiving files\r\nCRemoteShell (group number 2): commands for remote shell\r\nCPortForwardManager (group number 3): commands for proxy mode\r\nNo name (group number 0xFF): commands for malware control\r\nFigure 5: Command group names\r\nIt is clear that the functions are almost the same as PLEAD module.\r\nIn closing\r\nIt has been confirmed that BlackTech uses different kinds of malware including TSCookie, PLEAD and KIVARS,\r\nwhich target Linux OS as well as Windows OS. If such malware is found in your Windows environment, it is\r\nrecommended to check your Linux environment as well.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: ELF_PLEAD Configuration\r\nTable A: Configuration\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 4 of 9\n\nOffset Description Remarks\r\n0x000 RC4 Key Used for encrypting communication\r\n0x004 ID\r\n0x024 Port number 1\r\n0x026 Port number 2\r\n0x028 Port number 3\r\n0x02A C\u0026C server 1\r\n0x0AA C\u0026C server 2\r\n0x12A C\u0026C server 3\r\nConfiguration format may vary in some samples.\r\nAppendix B: Contents of data exchanged\r\nTable B-1: Format of sent data\r\nOffset Length Contents\r\n0x00 4 RC4 Key (Key4)\r\n0x04 4 Hash value\r\n0x08 4 RC4 key (Key1)\r\n0x0C 2 Length of data sent\r\n0x0E 2 Length of data at offset 0x10 before compression\r\n0x10 - Encrypted data (RC4 +LZO) (See Table A-2 for details.)\r\nTable B-2: Format of encrypted data\r\nOffset Length Contents\r\n0x00 2 0xFF\r\n0x02 4 RC4 key (Key2)\r\n0x06 - Random data (at least 128 bytes)\r\nTable B-3: Format of received data\r\nOffset Length Contents\r\n0x00 4 RC4 key (Key4)\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 5 of 9\n\n0x04 4 Hash value\r\n0x08 4 RC4 key (Key1)\r\n0x0C 2 Length of data sent\r\n0x0E 2 Length of data at offset 0x10 before compression\r\n0x10 - Encrypted data (RC4 +LZO) (See Table A-4 for details.)\r\nTable B-4: Format of encrypted data in the received data\r\nOffset Length Contents\r\n0x00 2 0x01FF\r\n0x02 4 RC4 key (Key3)\r\nAppendix C: ELF_PLEAD commands\r\nTable C-1: Commands without group name (group number 0xFF)\r\nValue Contents\r\n4 Send random data\r\n5 Reconnect\r\n6 Restart\r\n7 End\r\n8 End\r\n9 Change socket\r\n11 Change C2 server\r\nTable C-2: Commands for CFileManager (group number 0)\r\nValue Contents\r\n32 Send list of files\r\n37 Send file size, mode, timestamp\r\n39 Change file name\r\n41 Delete file/directory\r\n43 Upload file\r\n45 Execute file\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 6 of 9\n\n49 Create directory\r\n51 Move file\r\n53 Delete directory\r\nTable C-3: Commands for CFileTransfer (group number 1)\r\nValue Contents\r\n64 Send file/directory information\r\n67 Create directory\r\n70 Download file\r\n71 Send file information\r\n75 Upload file\r\nTable C-4: Commands for CRemoteShell (group number 2)\r\nValue Contents\r\n80 Launch remote shell\r\nTable C-5: Commands for CPortForwardManager (group number 3)\r\nValue Contents\r\n96 Set up proxy\r\n100 Connect proxy\r\n102 Send proxy data\r\n104 -\r\n106 -\r\n108 End proxy\r\nAppendix D: C\u0026C server\r\nmx.msdtc.tw\r\nAppendix E: Malware hash value\r\n5b5f8c4611510c11d413cb2bef70867e584f003210968f97e0c54e6d37ba8d8d\r\nca0e83440b77eca4d2eda6efd9530b49ffb477f87f36637b5e43f2e428898766\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 7 of 9\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 8 of 9\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nhttps://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html" ], "report_names": [ "elf-plead.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434224, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7eced39802e8636248b5e0caaf653f00798f91a.pdf", "text": "https://archive.orkl.eu/f7eced39802e8636248b5e0caaf653f00798f91a.txt", "img": "https://archive.orkl.eu/f7eced39802e8636248b5e0caaf653f00798f91a.jpg" } }