ChChes
ChChes is a backdoor Trojan that provides system information to the remote attacker, can download, upload, and execute files, and may process additional commands for other attacks. Although it's not persistent innately and, as a result, isn't a long-term-resident threat, ChChes infections can herald the escalation of a security breach by introducing other Trojans. Users should monitor e-mail security for weaknesses and keep anti-malware products available for detecting or deleting ChChes.
The Door that Stays Open Just as Long as Necessary
Most Trojans that have system access-granting payloads, with themes such as manipulating the victim's files or offering a remote desktop, have designs that imply their long-term residence on the PC they're infecting. That's not the case with each backdoor Trojan in existence, however. For instance, state-sponsored Black Hat software can include more specialized and narrowly-targeted Trojans, such as APT10's ChChes.
Standard system-introduction tactics for ChChes involve abusing e-mail messages with contents with target-appealing designs, such as industry and company-specific references and appropriate linguistics. The file that serves as the 'hook' for these lures, usually, is either a document or an imitation of one and delivers ChChes. This strategy is traditional for many, state-sponsored hackings, but especially for ChChes's threat actor, APT 10 (AKA, Stone Panda or menuPass – China's Ministry of State Security).
Unlike most backdoor Trojans, ChChes isn't persistent and will not restart, if the computer reboots. This limitation places ChChes in the role of a 'first-stage' threat that delivers more persistent ones, according to the directions of the Command & Control server. Its C&C communications use an unusual procedure of back-and-forth information passing, including victim hashes, before ChChes receives and loads a DLL module for other attacks.
Malware experts haven't confirmed all of ChChes's modules, but examples of some of their features include downloading and uploading content, as well as shell command execution.
Chiseling Away at Stone Panda's Claws
Any ChChes infection is nearly certain of instigating further attacks with the installation of Black Hat tools like PlugX, the Trochilus RAT, the password-collecting Mimikatz, and other Trojans and spyware. All of these threats and others not elaborated on here are utilities available to APT10, whose attacks leverage both technical and social engineering tactics against their victims. Government, NGO, and business networks in Asia, especially, are at risk.
Because of the absence of a system persistence feature, such as a Registry alteration or a newly-scheduled Windows task, users can reboot their computers for stopping ChChes temporarily. However, this act doesn't remove it or deal with any of the associated threats. Anti-malware solutions should delete ChChes while scanning your computer, and until then, any Internet and local network connections should be left off.
Collected certificates, inaccurate icons, encryption, and an array of dedicated C&C domains are just a few of the gears that make this Trojan work. Putting a stop to modern-day software monitoring requires more than watching what e-mailed files you open, but that can be a helpful first step.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.