Operation PzChao

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-054-003
Countries: IN, CN
Report Date: 20180209

Operation PzChao

A new malware has been discovered targeting institutions in government, technology, education and telecommunications sectors in Asian counties and in the US.  This malware performs various tasks, including password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.  This new malware is titled Operation PzChao by researchers[1] who believe the current attacks are reminiscent of the notorious Chinese hacker group, Iron Tiger[2].

Infection Methodology

The initial attack consists of highly targeted spam email message with a malicious VBS file attachment. The VBS file acts as a downloader for various malicious payloads being used.[3]

Upon execution, the malicious script will download various payloads from a distribution server, “down.pzchao.com” which resolves to 125.7.152.55 in South Korea.  The threat actor has following registered domains that run infrastructure for various tasks:

  • pzchao.com
  • pzchao.com
  • pzchao.com
  • pzchao.com
  • pzchao.com

Payloads

Bitcoin miner: The first payload deployed to the infected system is a self-extracting 7zip archive that drops a set of miner application tools for Bitcoin mining.  The malware identifies the operating system used and sets the corresponding Bitcoin miner application into the %TEMP% system folder.  The Bitcoin miner application (both 32-bit and 64-bit) is renamed as java.exe and used for Bitcoin mining every third week at 3:00 AM.

Password Stealer: In order to get passwords from the target system, the malware deploys two versions of the Mimikatz[4] password-scraping utility for both operating system architectures (x86, x64).  Mimikatz comes in a self-extracted 7zip archive and once extracted, drops four distinct files which are titled: mimikatz.exe, mimilib.dll, mimidrv.sys, and pass.bat.  The batch script executes the Mimikatz binary.  Once dumped, the confidential information gets uploaded to the command and control server.

Ghost RAT: The malware also deploys modified versions of Ghost RAT which is designed to act as a backdoor.  The RAT has the following capabilities:

  • Keylogging
  • Listing of active processes and opened windows
  • Eavesdropping via microphone
  • Eavesdropping using webcam
  • Remote shutdown and reboot
  • Downloading and executing remote files
  • Uploading files to servers

These capabilities allow attackers to steal data and remotely control the victim’s system.

Prevention Strategies and Mitigation

Users should follow these steps to keep safe from malware threats:

  • Do not open emails from untrusted sources
  • Do not visit malicious websites
  • Keep checking process explorer for malicious programs
  • Use updated antivirus software
  • Download and install software from trusted sources

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.

 

[1] https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/

[2] http://securityaffairs.co/wordpress/40199/cyber-crime/operation-iron-tiger.html

[3] https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/

[4] https://github.com/gentilkiwi/mimikatz

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!