Security researchers have discovered a custom-built piece of malware of which’s wreaking havoc in Asia for past several months as well as also also can be capable of performing nasty tasks, like password stealing, bitcoin mining, as well as also also providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations inside the government, technology, education, as well as also also telecommunications sectors in Asia as well as also also the United States.
Researchers believe nature, infrastructure, as well as also also payloads, including variants of the Gh0stRAT trojan, used inside the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, This particular campaign has evolved its payloads to drop trojan, conduct cyber espionage as well as also also mine Bitcoin cryptocurrency.
The PZChao campaign can be attacking targets across Asia as well as also also the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations using a malicious VBS file attachment of which delivers via highly-targeted phishing emails.
If executed, the VBS script downloads additional payloads to an affected Windows machine by a distribution server hosting “down.pzchao.com,” which resolved to an IP address (18.104.22.168) in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least several malicious subdomains of the “pzchao.com” domain, as well as also also each one can be used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are “diversified as well as also also include capabilities to download as well as also also execute additional binary files, collect private information as well as also also remotely execute commands on the system,” researchers noted.
The first payload dropped on the compromised machines can be a Bitcoin miner, disguised as a ‘java.exe’ file, of which mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords as well as also also upload them to the command as well as also also control server.
PZChao’s final payload includes a slightly modified style of Gh0st remote access trojan (RAT) which can be designed to act as a backdoor implant as well as also also behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT can be equipped with massive cyber-espionage capabilities, including:
- Real-time as well as also also offline remote keystroke logging
- Listing of all active processes as well as also also opened windows
- Listening in on conversations via microphone
- Eavesdropping on webcams’ live video feed
- Allowing for remote shutdown as well as also also reboot of the system
- Downloading binaries by the Internet to remote host
- Modifying as well as also also stealing files as well as also also more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims as well as also also exfiltrate confidential data easily.
While the tools used inside the PZChao campaign are a few years old, “they are battle-tested as well as also also more than suitable for future attacks,” researchers say.
Active since 2010, Iron Tiger, also known as “Emissary Panda” or “Threat Group-3390,” can be a Chinese advanced persistent threat (APT) group of which was behind previous campaigns resulting inside the theft of massive amounts of data by the directors as well as also also managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, as well as also also Tibet, besides attacking targets inside the U.S.
For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.