ChChes
Associated Software Descriptions
| Name | Description |
|---|---|
| Scorpion | |
| HAYMAKER | Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes.[4][5] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | ChChes establishes persistence by adding a Registry Run key.[3] |
| Enterprise | T1555 | .003 | Credentials from Password Stores:Credentials from Web Browsers | ChChes steals credentials stored inside Internet Explorer.[3] |
| Enterprise | T1132 | .001 | Data Encoding:Standard Encoding | ChChes can encode C2 data with a custom technique that utilizes Base64.[1][2] |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | |
| Enterprise | T1083 | File and Directory Discovery | ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | |
| Enterprise | T1105 | Ingress Tool Transfer | ChChes is capable of downloading files, including additional modules.[1][2][4] | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3] |
| Enterprise | T1057 | Process Discovery | ChChes collects its process identifier (PID) on the victim.[1] | |
| Enterprise | T1553 | .002 | Subvert Trust Controls:Code Signing | ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3] |
| Enterprise | T1082 | System Information Discovery | ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3] | |
Groups That Use This Software
References
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.