Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Chinoxy has established persistence via the
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
The Chinoxy dropping function can initiate decryption of its config file.
|Enterprise||T1574||.002||Hijack Execution Flow: DLL Side-Loading||
Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Chinoxy has used the name
|Enterprise||T1027||Obfuscated Files or Information|
During FunnyDream, Chinoxy was used to gain persistence and deploy other malware components.