Espionage malware snoops for passwords, mines bitcoin on the side

Operation PZChao targets US and Asian organisations with cyber-attacks reminiscent of Iron Tiger -- but this time with the ability to drop trojans, conduct espionage, and mine bitcoin.
Written by Danny Palmer, Senior Writer

Video: 10 key strategies for disaster preparedness and increased IT security

The discovery of custom-built malware capable of password-stealing, bitcoin-mining, and providing hackers with complete access to compromised systems could signal the return of a notorious hacker group.

Attacks by Operation PZChao are targeting government, technology, education, and telecommunications organisations in North America and Asia. Compromised targets are controlled with a network of malicious subdomains -- each named PZChao.

The nature of the attacks, as well as the infrastructure and payloads used -- including variants of the Gh0st RAT trojan -- have led researchers at Bitdefender to conclude that they could signify the return of the Iron Tiger APT (advanced persistent threat) operation.

Iron Tiger is thought to have been active since 2010, to be China-based, and to have been behind previous campaigns that resulted in the theft of large amounts of records from US contractors. The group is also said to have conducted espionage against targets in China and other parts of Asia.

With the PZChao campaign attacking similar targets across both North America and Asia -- and using similar attack tactics -- as Iron Tiger, it's possible the two campaigns could be the work of the same threat actor.

"We can only speculate on attribution, but one thing is certain: the Gh0stRat samples used in the Iron Tiger APT attach are extremely similar to the samples identified in the PZCHAO attack," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

Organisations of interest to the attackers have been targeted by this campaign since at least July last year, the initial point of compromise coming from highly-targeted phishing emails equipped with a malicious VBS file attachment.

The VBS script is used to download the malicious payloads to Windows systems from a distribution server, which researchers have determined to be an IP address in South Korea -- although this is likely meant to be a staging post designed to mislead anyone looking into the attacks.

Wherever it is really based, this server hosts the PZChao domains used to execute the different stages of attacks against targets, with one of the servers responsible for downloading new components for a diverse range of malicious attacks.

See also: Cyberwar: A guide to the frightening future of online conflict

While the tools appear to be predominantly designed for espionage, the first payload dropped onto compromised systems is a bitcoin miner, disguised as a 'java.exe' file and used every three weeks at 3am -- a time when it's likely nobody will be monitoring the performance of the systems, so it won't be noticed the machines are running sluggishly while mining cryptocurrency. It's likely the bitcoin mining is necessary to keep the cyber-espionage operation going.


The new attacks are very similar to those used by the Iron Tiger hacking operation.

Image: iStock

"We presume that this is due to the fact that the organisation behind the attack still needs extra funding for keeping up with their cyber-intelligence program. It might be this organization does not benefit from infinite R&D funding," said Botezatu.

One of the key goals of the attacks is to steal passwords, which the malware achieves by deploying one of two versions of the Mimikatz password-scraping utility, depending on whether the operating architecture of the system is x86 or x64. Once extracted, passwords get uploaded to the command and control server.

Free download: IT leader's guide to reducing insider security threats

The most powerful component of the malware consists of a modified version of the Gh0st RAT trojan, which provides the attackers with a backdoor into compromised systems, allowing almost complete control of the infected system. The behaviour of Gh0st RAT is described as "very similar" to attacks associated with the Iron Tiger attack group.

Gh0sT RAT can log keystrokes, eavesdrop on webcams, remotely listen via microphone, allow the remote shutdown and reboot of the host, the ability to secretly monitor, modify and exfiltrate files, explore the list of all active processes, and more.

It's ultimately a fully-functioning cyber-espionage tool which can be used to by the attackers to steal information, drop more malware and perform any number of malicious deeds.

While researchers describe the tools used in these attacks as a few years old and 'battle-tested', the malware is still very much capable of carrying out the espionage it is intended for, as demonstrated by continued infections against targets in technologically advanced industries around the world.

Recent and related coverage

Chinese hacking group returns with new tactics for espionage campaign

'KeyBoy' group drops stealthy malware to steal data from targets in a corporate espionage campaign focused on new targets.

In the grey area between espionage and cyberwar

Understanding the intentions in the cat-and-mouse online battle is getting harder.


Editorial standards