ELF_PLEAD - Linux Malware Used by BlackTech - JPCERT/CC
Eyes
By 朝長 秀誠 (Shusei Tomonaga)
Published: 2020-11-15 · Archived: 2026-04-05 21:47:06 UTC
November 16, 2020
BlackTech
In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This
group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced
before has its Linux version (ELF_PLEAD) as well. This article describe the details of ELF_PLEAD in
comparison to PLEAD module.
Comparison between PLEAD Module and ELF_PLEAD
ELF_PLEAD and PLEAD module share many parts of the code, and most of the functions including
communication are similar. Figure 1 shows the comparison of the main functions of PLEAD module and
ELF_PLEAD.
Figure 1: Code comparison of PLEAD module and ELF_PLEAD
(Left: PLEAD module / Right: ELF_PLEAD)
It is clear from the flow of processing that the two types of malware are quite similar. The next sections will
describe the features of ELF_PLEAD from the following perspectives:
Configuration
Communication protocol
Commands
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 1 of 9

Configuration
ELF_PLEAD possesses its configuration with the size of 0x1AA. Figure 2 is an example of configuration. It
contains information such as C&C servers and an encryption key. (Please see Appendix A for the details of
configuration.)
Figure 2: Configuration example
The configuration is RC4-encrypted, and the 32-byte string right before the encrypted configuration is the
encryption key itself. Figure 3 is an example of encrypted configuration and its key.
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 2 of 9

Figure 3: Encrypted configuration and encryption key
Communication protocol
While PLEAD module uses HTTP protocol to communicate with its C&C servers, ELF_PLEAD uses its custom
protocol. Besides the difference, the data format and the method for exchanging the encryption key are almost the
same. Figure 4 describes the flow of communication that ELF_PLEAD performs.
Figure 4: Communication flow of ELF_PLEAD
ELF_PLEAD exchanges a part of RC4 key at the time of first communication. After that, a RC4 key generated by
the exchange will be used for the communication that follows. The data sent is RC4-encrypted and then LZO-compressed. (Please see Appendix B for the details of communication protocol.)
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 3 of 9

Commands
ELF_PLEAD is equipped with 5 command groups as follows. (Please see Appendix C for the details of command
functions. The command number may vary in some samples.)
CFileManager (group number 0): commands for operation on files
CFileTransfer (group number 1): commands for sending/receiving files
CRemoteShell (group number 2): commands for remote shell
CPortForwardManager (group number 3): commands for proxy mode
No name (group number 0xFF): commands for malware control
Figure 5: Command group names
It is clear that the functions are almost the same as PLEAD module.
In closing
It has been confirmed that BlackTech uses different kinds of malware including TSCookie, PLEAD and KIVARS,
which target Linux OS as well as Windows OS. If such malware is found in your Windows environment, it is
recommended to check your Linux environment as well.
Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A: ELF_PLEAD Configuration
Table A: Configuration
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 4 of 9

Offset Description Remarks
0x000 RC4 Key Used for encrypting communication
0x004 ID
0x024 Port number 1
0x026 Port number 2
0x028 Port number 3
0x02A C&C server 1
0x0AA C&C server 2
0x12A C&C server 3
Configuration format may vary in some samples.
Appendix B: Contents of data exchanged
Table B-1: Format of sent data
Offset Length Contents
0x00 4 RC4 Key (Key4)
0x04 4 Hash value
0x08 4 RC4 key (Key1)
0x0C 2 Length of data sent
0x0E 2 Length of data at offset 0x10 before compression
0x10 - Encrypted data (RC4 +LZO) (See Table A-2 for details.)
Table B-2: Format of encrypted data
Offset Length Contents
0x00 2 0xFF
0x02 4 RC4 key (Key2)
0x06 - Random data (at least 128 bytes)
Table B-3: Format of received data
Offset Length Contents
0x00 4 RC4 key (Key4)
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 5 of 9

0x04 4 Hash value
0x08 4 RC4 key (Key1)
0x0C 2 Length of data sent
0x0E 2 Length of data at offset 0x10 before compression
0x10 - Encrypted data (RC4 +LZO) (See Table A-4 for details.)
Table B-4: Format of encrypted data in the received data
Offset Length Contents
0x00 2 0x01FF
0x02 4 RC4 key (Key3)
Appendix C: ELF_PLEAD commands
Table C-1: Commands without group name (group number 0xFF)
Value Contents
4 Send random data
5 Reconnect
6 Restart
7 End
8 End
9 Change socket
11 Change C2 server
Table C-2: Commands for CFileManager (group number 0)
Value Contents
32 Send list of files
37 Send file size, mode, timestamp
39 Change file name
41 Delete file/directory
43 Upload file
45 Execute file
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 6 of 9

49 Create directory
51 Move file
53 Delete directory
Table C-3: Commands for CFileTransfer (group number 1)
Value Contents
64 Send file/directory information
67 Create directory
70 Download file
71 Send file information
75 Upload file
Table C-4: Commands for CRemoteShell (group number 2)
Value Contents
80 Launch remote shell
Table C-5: Commands for CPortForwardManager (group number 3)
Value Contents
96 Set up proxy
100 Connect proxy
102 Send proxy data
104 -
106 -
108 End proxy
Appendix D: C&C server
mx.msdtc.tw
Appendix E: Malware hash value
5b5f8c4611510c11d413cb2bef70867e584f003210968f97e0c54e6d37ba8d8d
ca0e83440b77eca4d2eda6efd9530b49ffb477f87f36637b5e43f2e428898766
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 7 of 9

朝長 秀誠 (Shusei Tomonaga)
Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially
involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security
monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,
BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.
Related articles
Update on Attacks by Threat Group APT-C-60
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 8 of 9

Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
DslogdRAT Malware Installed in Ivanti Connect Secure
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
Source: https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
Page 9 of 9