BitCoin Mining Malware is going geopolitical:
Security researchers have recently discovered a newly-built and custom piece of malware that’s creating havoc across Asia for the past several months and is also capable of performing nefarious tasks, such as password theft, bitcoin mining, and even providing hackers with complete remote access to compromised computers/systems.
Nick-Named “Operation PZChao”, the attack campaign discovered by the security researchers at the firm Bitdefender have been targeting organizations in the government, tech, and telecomm industries in Asia and the U.S.A.
Researchers now believe that infrastructure and payloads – apparently including variants of the Gh0stRAT trojan, which was used in the PZChao attacks – are similar to that of the notorious Chinese hacker group—The Iron Tiger.
Active since at least 2010, The Iron Tiger, aka “Emissary Panda” or “Threat Group-#3390,” is a China-based advanced persistent threat (aka APT) group that was behind previous campaigns that resulted in the theft of huge amounts of data from the directors and managers of U.S.A-based defense contractors.
Similar to the PZChao campaign this group also carried out reported attacks against entities in the Philippines, China, and Tibet, not to mention attacking targets in the U.S.
This hacking campaign has since evolved its payload(s) to drop trojans on command, conduct cyber-espionage and even mine Bitcoin cryptocurrency.
The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack methods as that of The Iron Tiger, which some argue could signal the “possible return” of the notoriously known China-based Advanced Persistent Threat group of yesteryear.
Since at least July 2017 the “PZChao” campaign has been targeting organizations with a malicious VBS file attachments that deliver via targeted phish emails.
If executed as intended, the VBS script downloads additional payloads to an effected Windows machine from a distribution server hosting known as “down.pzchao.com,” which resolved to an IP address 18.104.22.168 which is in S. Korea.
The perps behind this attack campaign have control over at least 5 malicious subdomains of the “pzchao.com” URL, and each is used to serve specific tasks, such as download, upload, R.A.T related tasks, and malware DLL delivery.
The first payload dropped on the compromised machines is a Bitcoin miner, which displays as a ‘java.exe’ file, that then mines crypto-currency every 3 weeks at 3AM(because people are not in front of their systems).
For password theft, the malware deploys one of either two known versions of the Mimikatz password-scraping utility to harvest pw’s and then upload them to the C&C (command and control) server.
PZChaos final pay-load includes a modified version of the Gh0st remote access trojan (aka RAT) which is designed to act as a backdoor implant and acts very similar to the versions detected in cyber attacks associated with the Iron Tiger A.P.T group.
The Gh0st RAT is equipped with extensive cyber-espionage capabilities including:
- Allowing for the remote shutdown & reboot of the system.
- Downloading binaries from the Web to the remote host.
- Modifying & stealing files.
- Real-time as well as offline remote key-logging.
- Listing of all active processes & open windows.
- Listening in on conversations via the mic.
- Eavesdropping on webcam live video feeds.