ChChes

ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChChes operates as an initial infiltration point on a victim's machine, collecting various types of information about the victim. This Trojan is unique to the menuPass group and is distinct from other malware like PlugX and Poison Ivy (PIVY), which are used by multiple campaigns. The ChChes malware shares some similarities with other malware families. Trend Micro's analysis confirmed that Earth Yako’s MirrorKey malware uses the same encryption routine as the one utilized by APT10 malware families RedLeaves and ChChes. Interestingly, the observed ChChes samples were digitally signed using a certificate originally employed by HackingTeam, a company that suffered a significant data breach. The newer versions of ChChes use an import hash shared with other tools used by menuPass, providing an initial link between these malicious software. ChChes communicates with its remote server through an initial HTTP beacon. This beacon contains a complex structure in the 'Base64-Encoded Data' field that stores a module to be loaded and subsequently run by ChChes. The Uniform Resource Identifier (URI) used for this communication is randomly generated for each HTTP request made by the malware, making its tracking and identification more challenging. The discovery and ongoing analysis of ChChes underline the evolving threats in cybersecurity and the need for continuous vigilance and innovative defense strategies.