Security Market Segment LS
Monday, 05 February 2018 10:09

Complex PZChao Windows malware has more than one string to its bow Featured


Security firm Bitdefender says it has been monitoring a complex custom-built piece of Windows malware, that it has named PZChao because of the name of the domain at which its command and control server resides.

Researchers Ivona Alexandra and Bogedan Botezatu released a detailed white paper on the threat, which they said had a network of malicious domains, each of which was used for a specific task - download, upload, remote access trojan-related actions, and malware DLL delivery).

"The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," they said.

Highly targeted spam messages with a malicious VBS file attached appeared to be the main means of infecting Windows computers. The script acts as a downloader for further malicious payloads from a distribution server.

Alexandra and Botezatu said the IP address of the distribution server resolved to one located in South Korea as of 17 July, when the initial payload had been first isolated.

The IP address “” hosts the “”. New components are downloaded and executed on the compromised hosts at every stage of the attack as seen below.

pzchao domains

Botezatu told iTWire in response to queries that PZChao used several readily-built components such as the open-source Gh0stRAT that have been seen in the past.

"Tech-wise, PZChao can't compare to the TAO (Equation Group). However, judging by different metrics (such as the success rate of the attack), the PZChao approach is proven to work and have the same outcome as a state-of-the-art, brand-new attack: data exfiltration over a long period of time," he added.

The server, as well as the entire infrastructure, had been taken offline following abuse complaints to South Korean authorities. "But this does not change anything for the victims who have already fallen for the attack and had their information compromised," Botezatu added.

"Hackers can easily re-create this environment on a different server, in a different part of the world and reconfigure the payloads to connect to the new infrastructure."

Asked about the extent of the spread of PZChao and the use it was put to, he said, given the nature of the targets — entities in education, government, telecommunications and technology — "we believe that this is a highly targeted attack that focuses on gathering intelligence and intellectual property".

pzchao map

A simplified view of the location and nature of the targets.

"Advanced persistent threat groups are not exclusively focused on politics, but rather go for the full spectrum of mission-critical infrastructure. Political and commercial espionage go hand in hand, especially in countries where advanced intellectual property stolen from say, a US company, could be paired with a cheap workforce to create extremely competitive products."

As to the name chosen for the malware, Botezatu said: "Operation PZChao has been called like that because it is centred around a command and control infrastructure located at pzchao(dot)com. We have no idea what went through the attacker's mind when they chose this domain name, but this name is unique enough to differentiate this attack from other extremely similar attacks."

Graphics: courtesy Bitdefender

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments