The discovery of custom-built malware capable of password-stealing, bitcoin-mining, and providing hackers with complete access to compromised systems could signal the return of a notorious hacker group.
Attacks by Operation PZChao are targeting government, technology, education, and telecommunications organisations in North America and Asia. Compromised targets are controlled with a network of malicious subdomains -- each named PZChao.
The nature of the attacks, as well as the infrastructure and payloads used -- including variants of the Gh0st RAT trojan -- have led researchers at Bitdefender to conclude that they could signify the return of the Iron Tiger APT (advanced persistent threat) operation.
With the PZChao campaign attacking similar targets across both North America and Asia -- and using similar attack tactics -- as Iron Tiger, it's possible the two campaigns could be the work of the same threat actor.
"We can only speculate on attribution, but one thing is certain: the Gh0stRat samples used in the Iron Tiger APT attach are extremely similar to the samples identified in the PZCHAO attack," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.
Organisations of interest to the attackers have been targeted by this campaign since at least July last year, the initial point of compromise coming from highly-targeted phishing emails equipped with a malicious VBS file attachment.
The VBS script is used to download the malicious payloads to Windows systems from a distribution server, which researchers have determined to be an IP address in South Korea -- although this is likely meant to be a staging post designed to mislead anyone looking into the attacks.
Wherever it is really based, this server hosts the PZChao domains used to execute the different stages of attacks against targets, with one of the servers responsible for downloading new components for a diverse range of malicious attacks.
While the tools appear to be predominantly designed for espionage, the first payload dropped onto compromised systems is a bitcoin miner, disguised as a 'java.exe' file and used every three weeks at 3am -- a time when it's likely nobody will be monitoring the performance of the systems, so it won't be noticed the machines are running sluggishly while mining cryptocurrency. It's likely the bitcoin mining is necessary to keep the cyber-espionage operation going.
"We presume that this is due to the fact that the organisation behind the attack still needs extra funding for keeping up with their cyber-intelligence program. It might be this organization does not benefit from infinite R&D funding," said Botezatu.
One of the key goals of the attacks is to steal passwords, which the malware achieves by deploying one of two versions of the Mimikatz password-scraping utility, depending on whether the operating architecture of the system is x86 or x64. Once extracted, passwords get uploaded to the command and control server.
The most powerful component of the malware consists of a modified version of the Gh0st RAT trojan, which provides the attackers with a backdoor into compromised systems, allowing almost complete control of the infected system. The behaviour of Gh0st RAT is described as "very similar" to attacks associated with the Iron Tiger attack group.
Gh0sT RAT can log keystrokes, eavesdrop on webcams, remotely listen via microphone, allow the remote shutdown and reboot of the host, the ability to secretly monitor, modify and exfiltrate files, explore the list of all active processes, and more.
It's ultimately a fully-functioning cyber-espionage tool which can be used to by the attackers to steal information, drop more malware and perform any number of malicious deeds.
While researchers describe the tools used in these attacks as a few years old and 'battle-tested', the malware is still very much capable of carrying out the espionage it is intended for, as demonstrated by continued infections against targets in technologically advanced industries around the world.