ChChes

Stone Panda is an APT (Advanced Persistent Threat) that is believed to originate from China. Due to the nature of their targets, often big corporations and government bodies, many speculate that the Stone Panda APT may be funded by the Chinese Government. They have launched several attacks against businesses based in Japan with the first one registered back in 2014. Often, the Stone Panda hacking group would employ the Poison Ivy RAT (Remote Access Trojan) and the PlugX RAT – these are hacking tools, which are not a product of the Stone Panda APT, but they like to borrow them.

Recently, there was yet another attack launched against a Japanese company in the pharmaceutical industry. In this most recent attack, it became apparent that the Stone Panda APT have developed their own unique hacking tool – the ChChes backdoor Trojan. What led malware experts to this conclusion is that upon closer inspection of the ChChes Trojan revealed that the authors did not borrow code from similar cyber threats, so this might be an entirely new project used exclusively by them. It is likely that the Stone Panda APT will employ the ChChes Trojan against high-profile targets only.

The authors of the ChChes backdoor are propagating their creation via the tried and tested method of spear phishing emails. It is likely that the Stone Panda hacking group may have conducted espionage campaigns prior to this attack because the phishing emails included personal information about the recipients, thus making the emails seem more legitimate and increase the chances of the user to fall for the APT’s trap. The phishing emails would include a macro-laced document file which would launch the ChChes Trojan once opened.

The ChChes is programmed to use the %TEMP% Windows folder to store all of its data. Of course, its components are given randomized names. The ChChes Trojan will begin gathering basic information about the host:

• Username.
• Windows version.
• Process identifier.

Then, the ChChes backdoor will transfer all the data collected to the C&C (Command & Control) servers of the attackers.

The ChChes Trojan has a short list of capabilities:

• Uploading and downloading files.
• Executing shell commands.
• Loading additional modules.

The fact that the ChChes Trojan does not gain persistency makes some speculate that this threat is only meant to employed as a first-stage payload which only has to be run once for it to allow additional, second-stage malware, to infiltrate the targeted system.

The Stone Panda APT seems to be continuously improving their hacking arsenal and upgrading their tools. Businesses need to take cybersecurity very seriously as one single cyber-attack, if performed well, can be enough to cause irreparable damage.