Security researchers have discovered a custom-built piece of malware wreaking havoc in Asia for several months that could signal the return of the notorious Chinese hacker group - Iron Tiger. According to researchers at Bitdefender, attacks by Operation PZChao have been targeting institutions in the government, technology, education and telecommunications sector in Asia and the US.
The attack uses highly targeted spam messages along with a malicious VBS file attached to download additional payloads from a distribution server. As of 17 July 2017, the server hosting "down.pzchao.com" was resolved to an IP address located in South Korea, researchers said.
"The threat actors behind the attack have control over five subdomains of the "pzchao.com" domain. Suggestively named, these domains serve specific functionalities, such as upload, download and RAT related communication," Bitdefender said in a report.
The first batch script dropped on the system called "up.bat" hides in a temporary folder and performs four key functions including renaming the second batch script, assigning system files to it, modifying its Access Control List (ACL) and killing any scheduled tasks that may interfere with the file.
The second, newly named win32shell.bat script is scheduled to run every other day at 3AM under the name "Adobe Flash updates", likely to "keep a low profile and evade scrutiny." This script acts as a downloader for additional tools and to upload confidential and sensitive data about the compromised system to a command and control server including username, domain, MAC address, OS version and the RDP port 3389 status via a POST request.
Meanwhile, the payloads deployed are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers note.
These include a Bitcoin miner renamed as a "java.exe" file that is used to mine cryptocurrency every three weeks at 3AM. The malware also deploys two versions of the Mimikatz password-scraping utility to harvest passwords and later upload to the command and control server.
The malware's final payload includes a slightly modified Gh0st remote access trojan (RAT) sample designed to act as a backdoor implant that researchers said is "very similar" to attacks linked to the Iron Tiger group.
Equipped with a slew of espionage capabilities, the Gh0st RAT can remotely log keystrokes, list all active processes and opened windows, listen in on conversations via microphone, eavesdrop on webcams, allow for remote shutdown and reboot of the system, download binaries from the Internet, modify and steal files and more.
"All these capabilities leave no doubt about the tool's initial purpose and reach into the compromised device. It allows a remote attacker to take full control of the system, spy on the victims and exfiltrate confidential information easily," researchers said. "Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks."
Active since 2010, the China-based Iron Tiger APT, also known as "Emissary Panda" or "Threat Group-3390" has previously targeted political and government agencies in China, Hong Kong, Tibet, the Philippines and other Asian nations for espionage. In 2013, the group shifted focus to US government contractors.
"This remote access Trojan's espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify," researchers said. "The C&C rotation during the Trojan's lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest."