ChChes

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChChes operates as an initial infiltration point on a victim's machine, collecting various types of information about the victim. This Trojan is unique to the menuPass group and is distinct from other malware like PlugX and Poison Ivy (PIVY), which are used by multiple campaigns. The ChChes malware shares some similarities with other malware families. Trend Micro's analysis confirmed that Earth Yako’s MirrorKey malware uses the same encryption routine as the one utilized by APT10 malware families RedLeaves and ChChes. Interestingly, the observed ChChes samples were digitally signed using a certificate originally employed by HackingTeam, a company that suffered a significant data breach. The newer versions of ChChes use an import hash shared with other tools used by menuPass, providing an initial link between these malicious software. ChChes communicates with its remote server through an initial HTTP beacon. This beacon contains a complex structure in the 'Base64-Encoded Data' field that stores a module to be loaded and subsequently run by ChChes. The Uniform Resource Identifier (URI) used for this communication is randomly generated for each HTTP request made by the malware, making its tracking and identification more challenging. The discovery and ongoing analysis of ChChes underline the evolving threats in cybersecurity and the need for continuous vigilance and innovative defense strategies.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Trojan

Encryption

Beacon

Apt

Infiltration

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
PlugX	Unspecified	1	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
RedLeaves	Unspecified	1	RedLeaves is a malicious software (malware) that has been utilized in cyber espionage campaigns for over five years, as reported by Trend Micro. This malware, which is known to infect Windows machines, operates as a remote access trojan (RAT), enabling unauthorized access and control over infected s
Pivy	Unspecified	1	PIVY, a type of malware, is known for its harmful exploits on computers and devices. It infiltrates systems through dubious downloads, emails, or websites, often without the user's awareness. Once inside, it can steal personal information, disrupt operations, or even hold data for ransom. PIVY has b
Poison Ivy	Unspecified	1	Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT10	Unspecified	1	APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
menuPass	Unspecified	1	MenuPass, also known as APT10, Stone Panda, and ALPHV BlackCat, is a threat actor suspected to be linked to the Chinese government. This cyber espionage group has been active since at least 2009, according to Mandiant, and has targeted a wide range of sectors including construction, engineering, aer

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Poison Ivy Pivy	Unspecified	1	None

Source Document References

Information about the ChChes Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
Trend Micro	a year ago	Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns