ChChes
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Scorpion | (Citation: PWC Cloud Hopper Technical Annex April 2017) |
| HAYMAKER | Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
ChChes establishes persistence by adding a Registry Run key.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
ChChes steals credentials stored inside Internet Explorer.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
ChChes can encode C2 data with a custom technique that utilizes Base64.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
ChChes can encrypt C2 traffic with AES or RC4.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
ChChes can alter the victim's proxy configuration.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0045 | menuPass |
(Citation: PWC Cloud Hopper Technical Annex April 2017) |
References
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Carr, N.. (2017, April 6). Retrieved June 29, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.