Researchers at Romanian cybersecurity firm Bitdefender have discovered a custom-built piece of malware that has been sowing havoc in Asia since last July at least that could mark the return of the infamous Chinese hacker group Iron Tiger. Active since 2010, the group has targeted political and government agencies in China, Hong Kong, Tibet, the Philippines and other Asian nations. In 2013, it began to focus its attention on U.S. government contractors.
The latest set of attacks employs highly targeted spam messages with a malicious VSB file attached, which if downloaded, unleashes a set of payloads from a distribution server. Targets include entities in the government, telecommunications, technology and education sectors in Asia and the U.S. Bitdefender has named the attack Operation PZChao, As of 17 July 2017, the server hosting “down.pzchao.com” was resolved to an IP address located in South Korea, researchers said.
Writing on Security Boulevard, Ivona Alexandra CHILI, Forensics Engineer at Bitdefender, wrote, “An interesting feature of this threat… is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).” She added, “The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”
The first batch script dropped on the system is named “up.bat” and hides in a temporary folder. The batch script performs four essential functions, including renaming the second batch script, assigning it system files, altering its Access Control List (ACL) and eliminating any scheduled tasks that may interfere with its successful running.
The second, named “win32shell.bat” by the first script is set to run every alternate day at 3AM under the description “Adobe Flash updates”, probably to evade scrutiny. This script downloads additional tools and uploads confidential data about the compromised system to a command and control server, including its username, domain, OS version, MAC address, and the RDP port 3389 status via a POST request.
The payloads deployed include a Bitcoin miner named “java.exe”, also set to run at 3am, but this one is scheduled only for every three weeks in order to mine cryptocurrency. The malware also attempts to harvest passwords in order to upload them to the command and control server.
The malware’s final payload includes most worryingly, a GhOst remote access Trojan (RAT) sample, which researchers said is “very similar” to attacks linked to the Iron Tiger hacker group. The GhOst RAT has a host of espionage capabilities, including being able to remotely log keystrokes, eavesdrop on conversations through the microphone, listen in on webcams, change and steal files and more.
“This remote access Trojan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” researchers said. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”