Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Attacks Attributed to Chinese Group “Codoso”

A cyber espionage group linked to China has been targeting organizations in various industries, Palo Alto Networks’ Unit 42 reported on Friday.

A cyber espionage group linked to China has been targeting organizations in various industries, Palo Alto Networks’ Unit 42 reported on Friday.

The threat actor, known as Codoso and C0d0so0, has been around since at least 2010, in the past focusing its activities on organizations in the defense, finance, energy, and government sectors, along with global think tanks and political dissidents.

A report on Codoso’s activities was published in February 2015 by iSIGHT Partners, a few months after the group abused and other legitimate websites in watering hole attacks aimed at financial services and defense companies in the United States and Chinese dissidents. The attacks involved a Flash Player zero-day that Adobe patched in December 2014 and a malware family known as Derusbi.

A new wave of attacks attributed by Palo Alto Networks to the Codoso group has been aimed at organizations in the telecommunications, education, high tech, legal services and manufacturing sectors. The attackers leveraged spear phishing emails and compromised websites used for watering hole attacks.

Researchers discovered two malware variants being used in these attacks, and while they don’t appear to belong to any known family, their network communication structure is similar to the one seen at Derusbi, which experts say is unique to Chinese cyber espionage groups.

“Past observations of Derusbi in various attack campaigns indicate the version used was compiled specifically for that campaign. Derusbi has had both the client and server variants deployed, using different combinations of configurations and modules. The newly discovered activity is consistent with this procedure, with compile times only a few days prior to the observed attacks,” Palo Alto Networks researchers explained in a blog post.

One of the pieces of malware used by Codoso in its recent attacks is disguised as a serial number generator for AVG AntiVirus. Once it infects a system, the threat checks for the presence of sandboxes and virtual environments, and starts collecting information about the infected machine, including MAC address, IP, username, hostname, and CPU data.

The malware, which uses HTTP for network communications, attempts to download additional plugins from a remote server.

The second piece of malware, more recent than the first variant, is disguised as a DLL file that is side-loaded by a legitimate McAfee application. This threat, which uses a custom network protocol over port 22, also collects system information and downloads additional plugins from its server.

For command and control (C&C) communications, the threat actor has used three domains, all registered using Chinese addresses and all resolving to a Hong Kong IP.

“In these newly discovered C0d0s0 attacks, several of the targeted hosts were identified as server systems, instead of user endpoints, suggesting the possibility that these specific targets will be used in future attacks as additional watering holes. Both of the malware variants encoded and compressed the underlying network traffic to bypass any network-based security controls that were implemented,” experts noted.

Researchers have found several similarities between the latest attacks and the 2014 campaign involving First, they noticed that the DLL file loaded by the legitimate McAfee application appears to be a newer variant of a DLL loaded in the attack, as the same unique strings have been found in both samples.

Secondly, the use of HTTP is shared between the malware disguised as the AVG serial number generator and the one seen in the 2014 campaign. Finally, experts noted that the capabilities of the analyzed samples are also similar.

Palo Alto Networks has pointed out that the Codoso group’s tactics, techniques, and procedures (TTPs) are more sophisticated compared to other threat actors.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...