ChChes

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChChes operates as an initial infiltration point on a victim's machine, collecting various types of information about the victim. This Trojan is unique to the menuPass group and is distinct from other malware like PlugX and Poison Ivy (PIVY), which are used by multiple campaigns. The ChChes malware shares some similarities with other malware families. Trend Micro's analysis confirmed that Earth Yako’s MirrorKey malware uses the same encryption routine as the one utilized by APT10 malware families RedLeaves and ChChes. Interestingly, the observed ChChes samples were digitally signed using a certificate originally employed by HackingTeam, a company that suffered a significant data breach. The newer versions of ChChes use an import hash shared with other tools used by menuPass, providing an initial link between these malicious software. ChChes communicates with its remote server through an initial HTTP beacon. This beacon contains a complex structure in the 'Base64-Encoded Data' field that stores a module to be loaded and subsequently run by ChChes. The Uniform Resource Identifier (URI) used for this communication is randomly generated for each HTTP request made by the malware, making its tracking and identification more challenging. The discovery and ongoing analysis of ChChes underline the evolving threats in cybersecurity and the need for continuous vigilance and innovative defense strategies.
What's your take? (Question 1 of 0)
ac2cee76-e6c6-4ced-8360-7de349580f60 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ChChes Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
Trend Micro
a year ago
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns