COVID-19 Chinoxy Backdoor: A Network Perspective

COVID-19 Chinoxy Backdoor: A Network Perspective

To help the cybersecurity community defend its systems from COVID-19-themed threats, Nozomi Networks Labs is conducting threat intelligence research into the evolving situation. For example, we’ve been monitoring a prolific threat actor, very active in Asia, who has recently adapted malware delivery vectors to leverage the COVID-19 pandemic.

Both the initial exploit and the persistence techniques used by this actor, as well as its goals, are very well understood and discussed within the security community. Our new contribution examines how network traffic analysis leads to the detection of compromise by this specific threat actor.

Let’s look at how the Chinoxy Backdoor malware family works and what tools can be used to detect it.

How the Chinoxy Backdroor Malware Exploits COVID-19 to Entrap Victims

The delivery vectors of this new version of the malware family typically take the form of an RTF document exploiting CVE-2017-11882, where the content of the document contains a message specifically crafted to trap intended victims. In this case, the authors focus on exploiting assistance the United Nations is providing to Kyrgyzstan to fight COVID-19.

Once a victim opens the document and the exploit runs successfully, three main artifacts are dropped onto the target machine:

  • A persistence mechanism, in this case a lnk file pointing to an executable, that runs when the user logs in
  • A clean executable, with a valid digital signature, pointed to by the lnk file
  • A DLL containing the implant, which gets sideloaded by the clean executable
Threat actor
The threat actor infects systems by getting people to click on an RTF file which claims to be about how the United Nations is helping Kyrgyzstan fight COVID-19.

Cyber Threat Analysis: Port 443 Is Used to Communicate with C&C Server

Based on the internal state of the DLL, different HTTP headers can be used to communicate back to the Command and Control server (C&C).

A screenshot of the disassembly shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

Disassembly screenshot
The disassembly screenshot shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

Infected machines send cleartext HTTP traffic, with destination port 443, to communicate with the C&C server.

Nozomi Networks Labs has developed a SNORT rule, which can be used by everyone in the community, to detect infections. It generates alerts when POST requests, using the request format required by the malware, are seen in network traffic.

# Created by Nozomi Networks Labs

alert tcp any any -> any 443 (msg:"Chinoxy C&C POST Beacon"; flow:established,to_server; content:"POST"; pcre:"/\/[A-F0-9]{16}\/\d{4}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/[A-F0-9]{16} HTTP\/1\.1/"; content:"User-Agent: Mozilla/5.0"; sid:9000071; priority:9; metadata:created_at 2020_04_14;)

The SNORT rule is available from our COVID-19 Cybersecurity and GitHub webpages. Updates will be posted as available.

OT and IoT Security Requires Real-time Network Monitoring

Threat actors are constantly evolving their tools, tactics and procedures. Nonetheless, when they exfiltrate network data, they always leave a trail.

A clear understanding of the activity that takes place in your OT/IoT networks, and the ability to act upon such information, is key to a successful cybersecurity strategy.