Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.^[1]

ID: S1041

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 21 September 2022

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	Chinoxy has used the name `eoffice.exe` in attempt to appear as a legitimate file.^[1]
Enterprise	T1574	.002	劫持执行流: DLL Side-Loading	Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.^[1]
Enterprise	T1140		反混淆/解码文件或信息	The Chinoxy dropping function can initiate decryption of its config file.^[1]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	Chinoxy has established persistence via the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key and by loading a dropper to `(%COMMON_ STARTUP%\\eoffice.exe)`.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Chinoxy has encrypted its configuration file.^[1]

Campaigns

ID	Name	Description
C0007	FunnyDream	During FunnyDream, Chinoxy was used to gain persistence and deploy other malware components.^[1]

References

Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.

Chinoxy

Enterprise Layer

Techniques Used

Campaigns

References