COVID-19 Chinoxy Backdoor: A Network Perspective

Share This

To help the cybersecurity community defend its systems from COVID-19-themed threats, Nozomi Networks Labs is conducting threat intelligence research into the evolving situation. For example, we’ve been monitoring a prolific threat actor, very active in Asia, who has recently adapted malware delivery vectors to leverage the COVID-19 pandemic.

Both the initial exploit and the persistence techniques used by this actor, as well as its goals, are very well understood and discussed within the security community. Our new contribution examines how network traffic analysis leads to the detection of compromise by this specific threat actor.

Let’s look at how the Chinoxy Backdoor malware family works and what tools can be used to detect it.

A prolific threat actor, active in Asia, sends documents to people in Kyrgyzstan about how the United Nations is helping to fight COVID-19. Nozomi Networks Labs examined how network traffic analysis can detect this specific threat.

How the Chinoxy Backdroor Malware Exploits COVID-19 to Entrap Victims

The delivery vectors of this new version of the malware family typically take the form of an RTF document exploiting CVE-2017-11882, where the content of the document contains a message specifically crafted to trap intended victims. In this case, the authors focus on exploiting assistance the United Nations is providing to Kyrgyzstan to fight COVID-19.

Once a victim opens the document and the exploit runs successfully, three main artifacts are dropped onto the target machine:

  • A persistence mechanism, in this case a lnk file pointing to an executable, that runs when the user logs in
  • A clean executable, with a valid digital signature, pointed to by the lnk file
  • A DLL containing the implant, which gets sideloaded by the clean executable
The threat actor infects systems by getting people to click on an RTF file which claims to be about how the United Nations is helping Kyrgyzstan fight COVID-19.

Cyber Threat Analysis: Port 443 Is Used to Communicate with C&C Server

Based on the internal state of the DLL, different HTTP headers can be used to communicate back to the Command and Control server (C&C).

A screenshot of the disassembly shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

The disassembly screenshot shows how the HTTP request line is populated at runtime. It uses data fetched from the target machine, such as the system time, thread id and process id.

Infected machines send cleartext HTTP traffic, with destination port 443, to communicate with the C&C server.

Nozomi Networks Labs has developed a SNORT rule, which can be used by everyone in the community, to detect infections. It generates alerts when POST requests, using the request format required by the malware, are seen in network traffic.

# Created by Nozomi Networks Labs

alert tcp any any -> any 443 (msg:"Chinoxy C&C POST Beacon"; flow:established,to_server; content:"POST"; pcre:"/\/[A-F0-9]{16}\/\d{4}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/\d{1,2}\/[A-F0-9]{16} HTTP\/1\.1/"; content:"User-Agent: Mozilla/5.0"; sid:9000071; priority:9; metadata:created_at 2020_04_14;)

The SNORT rule is available from our COVID-19 Cybersecurity  and GitHub webpages. Updates will be posted as available.

OT and IoT Security Requires Real-time Network Monitoring 

Threat actors are constantly evolving their tools, tactics and procedures. Nonetheless, when they exfiltrate network data, they always leave a trail.

A clear understanding of the activity that takes place in your OT/IoT networks, and the ability to act upon such information, is key to a successful cybersecurity strategy.



“Interview with Suzanne Spaulding: Dealing with OT & IoT Security in the COVID-19 Era”

Duration: 30 Minutes

As global threat actors, including nation-states, exploit the COVID-19 crisis, OT and IoT security has become a greater challenge.

Watch or listen to this interview with former DHS Undersecretary, Suzanne Spaulding to find out more.

Learn about:

  • Her perspective on the emerging threat
  • How the potential consequences are driving actions in public and private sectors to manage global cybersecurity risks


  • Suzanne Spaulding, Former DHS Undersecretary Cybersecurity and Infrastructure Security Agency (CISA)
  • Andrea Carcano, Chief Product Officer
  • Chris Grove, Technology Evangelist

OT/IoT Security Report

Supply Chain and Persistent Ransomware Attacks Reach New Heights – February 2021

Learn about:

  • 7 trends defining today’s threat landscape
  • 18 specific threats you need to know about
  • Recent vulnerability research and exploitation trends
  • 7 types of vulnerabilities under active exploitation
  • 10 recommendations for securing OT/IoT networks

Let's get started

Discover how easy it is to identify and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.

Vantage IQ

The next generation of AI-powered analysis and response for critical infrastructure and industrial operations.   Register for Preview Event