ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ChChes

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ChChes

NamesChChes
HAYMAKER
Ham Backdoor
Scorpion
CategoryMalware
TypeBackdoor
Description(Palo Alto) In addition to using PlugX and Poison Ivy (PIVY), both known to be used by the group, they also used a new Trojan called “ChChes” by the Japan Computer Emergency Response Team Coordination Center (JPCERT). In contrast to PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this group. An analysis of the malware family can be found later in this blog.

Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It’s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not.
Information<https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/>
<https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html>
<https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html>
<https://www.jpcert.or.jp/magazine/acreport-ChChes.html>
<https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0144/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.chches>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:chches>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

Previous: CHAINSHOT
Next: CheeseTray

All groups using tool ChChes

ChangedNameCountryObserved

APT groups

 Snake WineChina2016 
XStone Panda, APT 10, menuPassChina2006-Jul 2020X

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key