Researchers Ivona Alexandra and Bogedan Botezatu released a detailed white paper on the threat, which they said had a network of malicious domains, each of which was used for a specific task - download, upload, remote access trojan-related actions, and malware DLL delivery).
"The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," they said.
Highly targeted spam messages with a malicious VBS file attached appeared to be the main means of infecting Windows computers. The script acts as a downloader for further malicious payloads from a distribution server.
The IP address “126.96.36.199” hosts the “down.pzchao.com”. New components are downloaded and executed on the compromised hosts at every stage of the attack as seen below.
Botezatu told iTWire in response to queries that PZChao used several readily-built components such as the open-source Gh0stRAT that have been seen in the past.
"Tech-wise, PZChao can't compare to the TAO (Equation Group). However, judging by different metrics (such as the success rate of the attack), the PZChao approach is proven to work and have the same outcome as a state-of-the-art, brand-new attack: data exfiltration over a long period of time," he added.
The server, as well as the entire infrastructure, had been taken offline following abuse complaints to South Korean authorities. "But this does not change anything for the victims who have already fallen for the attack and had their information compromised," Botezatu added.
"Hackers can easily re-create this environment on a different server, in a different part of the world and reconfigure the payloads to connect to the new infrastructure."
Asked about the extent of the spread of PZChao and the use it was put to, he said, given the nature of the targets — entities in education, government, telecommunications and technology — "we believe that this is a highly targeted attack that focuses on gathering intelligence and intellectual property".
A simplified view of the location and nature of the targets.
"Advanced persistent threat groups are not exclusively focused on politics, but rather go for the full spectrum of mission-critical infrastructure. Political and commercial espionage go hand in hand, especially in countries where advanced intellectual property stolen from say, a US company, could be paired with a cheap workforce to create extremely competitive products."
As to the name chosen for the malware, Botezatu said: "Operation PZChao has been called like that because it is centred around a command and control infrastructure located at pzchao(dot)com. We have no idea what went through the attacker's mind when they chose this domain name, but this name is unique enough to differentiate this attack from other extremely similar attacks."
Graphics: courtesy Bitdefender