PZChao May Signal the Return of Iron Tiger APT

What Is It?

Recently, researchers at Bitdefender have released the results of their analysis of a sophisticated piece of custom written malware, named PZChao.

The name is derived from the domains it uses for its infrastructure. Each domain is used for a specific purpose, such as downloading or controlling malware components.

The attackers have targeted government sector, education and technology/telecommunications organizations in the U.S., Canada, Australia and throughout Asia since July 2017.

It has been observed that once compromised, three payloads are installed on an infected system. The first is a bitcoin miner. Secondly, both the 32-bit and 64-bit versions of the Mimikatz tool are installed, uploading harvested passwords to a command and control (C2) server later. Finally, a close variant of the Gh0st RAT remote access trojan (RAT) is installed. The RAT component effectively gives the attackers full control over an infected machine including keystroke logging, eavesdropping utilizing the webcam or microphone, full access to the file system and remote shell.

When analyzed, the RAT samples were found to be very similar to those used by the Iron Tiger Advanced Persistent Threat (APT) group. Believed to have been active since 2010, the group is thought to be based in China and previously considered to have initiated successful attacks on U.S. contractors, resulting in significant theft of data.

How Does It Propagate?

As is common with APTs, PZChao attacks begin with highly targeted spam emails containing a malicious Visual Basic Script (VBS) attachment which then downloads further malicious components.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects PZChao components as malicious. Regression testing on various samples has shown they would have been detected by BluVector between 19 and 25 months prior to their release, with one sample detected 45 months prior.

All Threat Reports