Security researchers have discovered a custom-built piece of malware which’s wreaking havoc in Asia for past several months as well as will be capable of performing nasty tasks, like password stealing, bitcoin mining, as well as providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations from the government, technology, education, as well as telecommunications sectors in Asia as well as the United States.
Researchers believe nature, infrastructure, as well as payloads, including variants of the Gh0stRAT trojan, used from the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, which campaign has evolved its payloads to drop trojan, conduct cyber espionage as well as mine Bitcoin cryptocurrency.
The PZChao campaign will be attacking targets across Asia as well as the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations using a malicious VBS file attachment which delivers via highly-targeted phishing emails.
If executed, the VBS script downloads additional payloads to an affected Windows machine through a distribution server hosting “down.pzchao.com,” which resolved to an IP address (22.214.171.124) in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least all 5 malicious subdomains of the “pzchao.com” domain, as well as each one will be used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are “diversified as well as include capabilities to download as well as execute additional binary files, collect private information as well as remotely execute commands on the system,” researchers noted.
The first payload dropped on the compromised machines will be a Bitcoin miner, disguised as a ‘java.exe’ file, which mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords as well as upload them to the command as well as control server.
PZChao’s final payload includes a slightly modified style of Gh0st remote access trojan (RAT) which will be designed to act as a backdoor implant as well as behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT will be equipped with massive cyber-espionage capabilities, including:
- Real-time as well as offline remote keystroke logging
- Listing of all active processes as well as opened windows
- Listening in on conversations via microphone
- Eavesdropping on webcams’ live video feed
- Allowing for remote shutdown as well as reboot of the system
- Downloading binaries through the Internet to remote host
- Modifying as well as stealing files as well as more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims as well as exfiltrate confidential data easily.
While the tools used from the PZChao campaign are a few years old, “they are battle-tested as well as more than suitable for future attacks,” researchers say.
Active since 2010, Iron Tiger, also known as “Emissary Panda” or “Threat Group-3390,” will be a Chinese advanced persistent threat (APT) group which was behind previous campaigns resulting from the theft of massive amounts of data through the directors as well as managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, as well as Tibet, besides attacking targets from the U.S.
For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.