Security Market Segment LS
Monday, 05 February 2018 10:09

Complex PZChao Windows malware has more than one string to its bow Featured


Security firm Bitdefender says it has been monitoring a complex custom-built piece of Windows malware, that it has named PZChao because of the name of the domain at which its command and control server resides.

Researchers Ivona Alexandra and Bogedan Botezatu released a detailed white paper on the threat, which they said had a network of malicious domains, each of which was used for a specific task - download, upload, remote access trojan-related actions, and malware DLL delivery).

"The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," they said.

Highly targeted spam messages with a malicious VBS file attached appeared to be the main means of infecting Windows computers. The script acts as a downloader for further malicious payloads from a distribution server.

Alexandra and Botezatu said the IP address of the distribution server resolved to one located in South Korea as of 17 July, when the initial payload had been first isolated.

The IP address “” hosts the “”. New components are downloaded and executed on the compromised hosts at every stage of the attack as seen below.

pzchao domains

Botezatu told iTWire in response to queries that PZChao used several readily-built components such as the open-source Gh0stRAT that have been seen in the past.

"Tech-wise, PZChao can't compare to the TAO (Equation Group). However, judging by different metrics (such as the success rate of the attack), the PZChao approach is proven to work and have the same outcome as a state-of-the-art, brand-new attack: data exfiltration over a long period of time," he added.

The server, as well as the entire infrastructure, had been taken offline following abuse complaints to South Korean authorities. "But this does not change anything for the victims who have already fallen for the attack and had their information compromised," Botezatu added.

"Hackers can easily re-create this environment on a different server, in a different part of the world and reconfigure the payloads to connect to the new infrastructure."

Asked about the extent of the spread of PZChao and the use it was put to, he said, given the nature of the targets — entities in education, government, telecommunications and technology — "we believe that this is a highly targeted attack that focuses on gathering intelligence and intellectual property".

pzchao map

A simplified view of the location and nature of the targets.

"Advanced persistent threat groups are not exclusively focused on politics, but rather go for the full spectrum of mission-critical infrastructure. Political and commercial espionage go hand in hand, especially in countries where advanced intellectual property stolen from say, a US company, could be paired with a cheap workforce to create extremely competitive products."

As to the name chosen for the malware, Botezatu said: "Operation PZChao has been called like that because it is centred around a command and control infrastructure located at pzchao(dot)com. We have no idea what went through the attacker's mind when they chose this domain name, but this name is unique enough to differentiate this attack from other extremely similar attacks."

Graphics: courtesy Bitdefender

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News