Software: ChChes, Scorpion, HAYMAKER
|ChChes, Scorpion, HAYMAKER|
|Aliases||ChChes, Scorpion, HAYMAKER|
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.123
- ChChes - 123
- Scorpion - 3
- HAYMAKER - Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes.45
- Code Signing - ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.123
- System Information Discovery - ChChes collects the victim hostname, window resolution, and Microsoft Windows version.13
- File and Directory Discovery - ChChes identifies the file path for the %TEMP% director and sets its current working directory to that path.1
- Standard Application Layer Protocol - ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.12
- Custom Cryptographic Protocol - ChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.12
- Masquerading - ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).3
- File and Directory Discovery - ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.4
The following groups use this software:
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.