Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Attacks Attributed to Chinese Group “Codoso”

A cyber espionage group linked to China has been targeting organizations in various industries, Palo Alto Networks’ Unit 42 reported on Friday.

A cyber espionage group linked to China has been targeting organizations in various industries, Palo Alto Networks’ Unit 42 reported on Friday.

The threat actor, known as Codoso and C0d0so0, has been around since at least 2010, in the past focusing its activities on organizations in the defense, finance, energy, and government sectors, along with global think tanks and political dissidents.

A report on Codoso’s activities was published in February 2015 by iSIGHT Partners, a few months after the group abused Forbes.com and other legitimate websites in watering hole attacks aimed at financial services and defense companies in the United States and Chinese dissidents. The attacks involved a Flash Player zero-day that Adobe patched in December 2014 and a malware family known as Derusbi.

A new wave of attacks attributed by Palo Alto Networks to the Codoso group has been aimed at organizations in the telecommunications, education, high tech, legal services and manufacturing sectors. The attackers leveraged spear phishing emails and compromised websites used for watering hole attacks.

Researchers discovered two malware variants being used in these attacks, and while they don’t appear to belong to any known family, their network communication structure is similar to the one seen at Derusbi, which experts say is unique to Chinese cyber espionage groups.

“Past observations of Derusbi in various attack campaigns indicate the version used was compiled specifically for that campaign. Derusbi has had both the client and server variants deployed, using different combinations of configurations and modules. The newly discovered activity is consistent with this procedure, with compile times only a few days prior to the observed attacks,” Palo Alto Networks researchers explained in a blog post.

One of the pieces of malware used by Codoso in its recent attacks is disguised as a serial number generator for AVG AntiVirus. Once it infects a system, the threat checks for the presence of sandboxes and virtual environments, and starts collecting information about the infected machine, including MAC address, IP, username, hostname, and CPU data.

The malware, which uses HTTP for network communications, attempts to download additional plugins from a remote server.

Advertisement. Scroll to continue reading.

The second piece of malware, more recent than the first variant, is disguised as a DLL file that is side-loaded by a legitimate McAfee application. This threat, which uses a custom network protocol over port 22, also collects system information and downloads additional plugins from its server.

For command and control (C&C) communications, the threat actor has used three domains, all registered using Chinese addresses and all resolving to a Hong Kong IP.

“In these newly discovered C0d0s0 attacks, several of the targeted hosts were identified as server systems, instead of user endpoints, suggesting the possibility that these specific targets will be used in future attacks as additional watering holes. Both of the malware variants encoded and compressed the underlying network traffic to bypass any network-based security controls that were implemented,” experts noted.

Researchers have found several similarities between the latest attacks and the 2014 campaign involving Forbes.com. First, they noticed that the DLL file loaded by the legitimate McAfee application appears to be a newer variant of a DLL loaded in the Forbes.com attack, as the same unique strings have been found in both samples.

Secondly, the use of HTTP is shared between the malware disguised as the AVG serial number generator and the one seen in the 2014 campaign. Finally, experts noted that the capabilities of the analyzed samples are also similar.

Palo Alto Networks has pointed out that the Codoso group’s tactics, techniques, and procedures (TTPs) are more sophisticated compared to other threat actors.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.