S1041 Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.1
| Item | Value |
|---|---|
| ID | S1041 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 21 September 2022 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Chinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and by loading a dropper to (%COMMON_ STARTUP%\\eoffice.exe).1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | The Chinoxy dropping function can initiate decryption of its config file.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | Chinoxy can use a digitally signed binary (“Logitech Bluetooth Wizard Host Process”) to load its dll into memory.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Chinoxy has encrypted its configuration file.1 |