ChChes
Associated Software Descriptions
| Name | Description |
|---|---|
| Scorpion | |
| HAYMAKER |
Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
ChChes steals credentials stored inside Internet Explorer.[3] |
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
ChChes establishes persistence by adding a Registry Run key.[3] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools | |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
ChChes can encode C2 data with a custom technique that utilizes Base64.[1][2] |
| Enterprise | T1083 | 文件和目录发现 |
ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4] |
|
| Enterprise | T1082 | 系统信息发现 |
ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3] |
|
| Enterprise | T1105 | 输入工具传输 |
ChChes is capable of downloading files, including additional modules.[1][2][4] |
|
| Enterprise | T1057 | 进程发现 |
ChChes collects its process identifier (PID) on the victim.[1] |
|
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3] |
Groups That Use This Software
References
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.