Espionage malware snoops for passwords, mines bitcoin on the side

Your Feed is from https://www.safeharboroncyber.com/Blog/
CyberWisdom Safe Harbor Commentary
A must-read story from zdnet.com encourages things we don’t talk about but a
Customizable password-stealing, Bitcoin-tapped malware discovery, and the ability to give hackers access to compromised systems can mark the return of a notorious hacker organization.
Attacks PZChao targets government, technology, education and telecommunications organizations in North America and Asia. The target of the attack is controlled by a malicious subdomain network, with each subnet named PZChao.
The nature of the attack and the infrastructures and payloads used, including variants of the Gh0st RAT Trojan, have led BitDefender researchers to conclude that they could signal the return of the Iron Tiger APT (Advanced Persistence Threat) operation.
Iron Tiger is said to have been active in China since 2010 and has lagged behind its previous activities, resulting in a large number of US contractors stolen records. The group is said to have espionage activities in China and elsewhere in Asia.
The PZChao campaign attacks similar targets in North America and Asia – using a similar attack technique – Iron Tiger, both of which may be the same threat to the work of an actor.
Bogdan Botezatu, a senior cyber threat analyst at Bitdefender, told ZDNet: “We can only infer the attribution but one thing is certain: the Gh0stRat sample used in the Tiekin APT attachment is very similar to the one identified in the PZCHAO attack.”
CapabilityOne of the key goals of the attacks is to steal passwords, which the malware achieves by deploying one of two versions of the Mimikatz password-scraping utility, depending on whether the operating architecture of the system is x86 or x64. Once extracted, passwords get uploaded to the command and control server.
Free download: IT leader’s guide to reducing insider security threats
The most powerful component of the malware consists of a modified version of the Gh0st RAT trojan, which provides the attackers with a backdoor into compromised systems, allowing almost complete control of the infected system. The behavior of Gh0st RAT is described as “very similar” to attacks associated with the Iron Tiger attack group.
Gh0sT RAT can log keystrokes, eavesdrop on webcams, remotely listen via microphone, allow the remote shutdown and reboot of the host, the ability to secretly monitor, modify and exfiltrate files, explore the list of all active processes, and more.
It’s ultimately a fully-functioning cyber-espionage tool which can be used to by the attackers to steal information, drop more malware and perform any number of malicious deeds.
While researchers describe the tools used in these attacks as a few years old and ‘battle-tested’, the malware is still very much capable of carrying out the espionage it is intended for, as demonstrated by continued infections against targets in technologically advanced industries around the world.
RECENT AND RELATED COVERAGEChinese hacking group returns with new tactics for espionage campaign
‘KeyBoy’ group drops stealthy malware to steal data from targets in a corporate espionage campaign focused on new targets.
Read more…
Topic: Security Video: 10 key strategies for disaster preparedness and increased IT security The discovery of custom-built malware capable of password-stealing, bitcoin-mining, and providing hackers with complete access to compromised systems could signal the return of a notorious hacker group. Attacks by Operation PZChao are targeting government, technology, education, and telecommunications organisations in North America and Asia. Compromised targets are controlled with a network of malicious subdomains — each named PZChao. The nature of the attacks, as well as the infrastructure and payloads used — including variants of the Gh0st RAT trojan — have led researchers at Bitdefender to conclude that they could signify the return of the Iron Tiger APT (advanced persistent threat) operation. Iron Tiger is thought to have been active since 2010, to be China-based, and to have been behind previous campaigns that resulted in the theft of large amounts of records from US contractors. The group is also said to have conducted espionage against targets in China and other parts of Asia. Engaging post, Read More…
thumbnail courtesy of zdnet.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post
The post Espionage malware snoops for passwords, mines bitcoin on the side appeared first on Safe Harbor on Cyber.