S1041 Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.1
| Item | Value |
|---|---|
| ID | S1041 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 September 2022 |
| Last Modified | 10 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Chinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and by loading a dropper to (%COMMON_ STARTUP%\\eoffice.exe).1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | The Chinoxy dropping function can initiate decryption of its config file.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Chinoxy can use a digitally signed binary (“Logitech Bluetooth Wizard Host Process”) to load its dll into memory.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.1 |
| enterprise | T1027 | Obfuscated Files or Information | Chinoxy has encrypted its configuration file.1 |