S0144 ChChes
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. 3 4 5
| Item | Value |
|---|---|
| ID | S0144 |
| Associated Names | Scorpion, HAYMAKER |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Scorpion | 5 |
| HAYMAKER | Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. 2 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.34 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ChChes establishes persistence by adding a Registry Run key.5 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | ChChes steals credentials stored inside Internet Explorer.5 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | ChChes can encode C2 data with a custom technique that utilizes Base64.34 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | ChChes can encrypt C2 traffic with AES or RC4.34 |
| enterprise | T1083 | File and Directory Discovery | ChChes collects the victim’s %TEMP% directory path and version of Internet Explorer.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | ChChes can alter the victim’s proxy configuration.5 |
| enterprise | T1105 | Ingress Tool Transfer | ChChes is capable of downloading files, including additional modules.342 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).5 |
| enterprise | T1057 | Process Discovery | ChChes collects its process identifier (PID) on the victim.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.345 |
| enterprise | T1082 | System Information Discovery | ChChes collects the victim hostname, window resolution, and Microsoft Windows version.35 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0045 | menuPass | 5 |
References
-
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. ↩↩↩
-
Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. ↩↩↩↩↩↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩↩↩↩↩↩↩↩↩