Complex PZChao Windows Malware Being Monitored by Experts

PZChao, a new and complex Windows malware, is being monitored by cyber security experts since last July.

It’s security researchers at cyber security firm Bitdefender who have been monitoring this malware; they have given it the name PZChao because of the name of the domain at which the command and control server for the malware resides.

In a detailed white paper that has been released on the Windows threat, Bitdefender researchers discuss different aspects of it. The white paper says- “The past few years have seen high-profile cyber-attacks shift to damaging the targets’ digital infrastructures to stealing highly sensitive data, silently monitoring the victim and constantly laying the ground for a new wave of attacks…This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.”

The Bitdefender researchers have pointed out that the threat had a network of malicious networks, each of which was used for a specific task. The Bitdefender white paper says- “An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system…In the analysis process, we managed to retrieve the malware payloads hosted on one of the command and control servers along with some statistics, such as the total number of downloads and logs containing the targeted victims. Among the most-downloaded malicious files, we found variants of Gh0st RAT used in Iron Tiger APT operation. Interestingly enough, these new samples now connect to the new attack infrastructure.”

The malware has been targeting important, critical institutions, mainly in the US and Asia. Those targeted mainly include the Government sector, the Technology and Telecommunications industry and the education sector.

The malware seems to spread through highly targeted spam messages that contain a malicious VBS file attached to them. This VBS script acts as a downloader for further malicious payloads from a distribution server. The Bitdefender researchers have traced the IP address of this distribution server as located in South Korea. The Bitdefender white paper says- “The distribution server has been resolved to an IP address located in South Korea as of July 17, 2017, when we first isolated the initial payload. The IP address “125.7.152.55” hosts the “down.pzchao.com”. ” Those behind the threat reportedly have control over five subdomains of the aforementioned domain- “pzchao.com”.

The threat actors behind the attack have control over five subdomains of the “pzchao.com” domain.The aim of the threat actors is data exfiltration over a long period of time.

It’s reported that the server (and the entire infrastructure) had been taken offline after complaints were filed to the South Korean authorities. Experts point out that the victims who have already been affected by the malware wouldn’t in any way be benefited by this. Moreover, the threat actors behind the malware can re-create the environment on a different server somewhere else and execute attacks again.