Security researchers have discovered a new campaign named Operation PZChao targeting government, technology, education, and telecommunications sectors in Asia and the US.
Malware Researchers from Bitdefender said they discovered a custom build piece of malware which they have been monitoring for last several months.
The malware is capable of password stealing, bitcoin mining and gaining full control of the system.
Another interesting feature is that the malware contains a network of malicious subdomains, each one used for a specific task such as download, upload, RAT related actions, malware DLL delivery.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”
Researchers said that they found variants of Gh0st RAT used in Iron Tiger APT operation among the most downloaded malicious files which indicate a possible return of the Chinese APT group.
The victims are targeted through spear phishing messages containing a malicious VBS file attached. After execution and the VBS script will download further malicious payload to windows systems from a distributed server.
The IP address of the distributed server was identified as 220.127.116.11 and located in South Korea and the “down.pzchao.com.”
Below image shows that new components are downloaded and executed on the infected host in every stage of the attack:
To steal the password from the compromised systems, the attacker deploys two versions of the Mimikatz password-scraping tool for both operating system architectures x86 and x64.
Once extracted and the confidential information will be uploaded to command and control server.
The final payload is slightly modified version of Gh0st RAT which is designed to act as a backdoor implant. The modified Gh0st RAT version has many similarities to the versions detected in post campaigns associated with the Iron Tiger APT group.
Once the payload the executed a remote attacker can gain full control of the system and can modify or steal data, log keystrokes, download binaries from the Internet, list all active processes and opened windows, allow remote shutdown or reboot of the host, spy on webcams and microphones.
For further details, you can visit technical paper published by Bitdefender researcher here.