Playbook

Malware: Chinoxy, PivNoxy

description-logo Description

FortiGuard Labs discovered an interesting spearphishing email sent to a telecommunication agency in South Asia in Mid-May 2022. The investigation led us to identify a new variant of Chinoxy malware payload that was designed to be delivered via a malicious Word document. Weaponized by a malicious tool called "Royal Road", the Word document exploits an Equation Editor vulnerability (CVE-2018-0798) in Microsoft Office to deliver the payload if the security hole was not patched.


Chinoxy is a backdoor malware that connects to a Command-and-Control server and performs various activities on the compromised machine depending on commands issued by a remote attacker.


FortiGuard Labs uncovered the oldest usage of Chinoxy malware by the threat actor dates as far back as July 2016. Further research indicates that the group stopped using Chinoxy in April 2020 and switched to an alternative tool, "PivNoxy".


PivNoxy is a backdoor similar to Chinoxy. A notable difference between them is that PivNoxy delivers PoisonIvy RAT that is included in the code to the compromised machine. The threat actor continued usage of PivNoxy until February 2021. After a few months of hiatus, they then turned back to Chinoxy in July 2021. The newly used Chinoxy reverted to operating as a simple backdoor and no longer directly deploys PoisonIvy Remote Access Trojan (RAT). It instead attempts to download and install additional payloads. One of these additional payloads was identified as PoisonIvy by nao_sec.


To deliver Chinoxy and PivNoxy, the threat actor uses an attack chain that starts with an email containing an attachment. The attachment itself contains an executable that, when executed, drops multiple files; a malicious "LBTServ.dll", the legitimate digitally-signed Logitech executable and then any associated files used by the malware. The attacker group takes advantage of a DLL Search Order hijacking vulnerability in the Logitech executable to get the malicious LBTServ.dll to be loaded whenever the real Logitech process is executed. Both Chinoxy and PivNoxy open a backdoor on the compromised machine. The causes the affected organizations to be subject to reconnaissance and further malicious activities that include deployment of additional malware such as PoisonIvy RAT through Chinoxy and PivNoxy. Information collected by the malware may not only belong to the compromised organizations but also include their affiliates such as customers, suppliers, and trading partners. It is therefore possible the damage can extend beyond the directly affected organizations.


Indicator of Compromise

File IOCs

Older Chinoxy variants

  • 719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3
  • 75f7b6197d648eaa8263d23c8f9aa9224038259d25df073803929d6582ea27b1
  • a33dcbd2ccf291ebd465bfcd6a9be10b3d6c0d89fa5ee0038a2e41fbd6c0397d
  • 5137bc35b042c0ea2ad56f3b0e03191e840cce9e9dadb470d6a7a018f3a1a4fb
  • b0ad5af44a0a07a2408e9a6b4e4a27e366aa64350ff60f398d1b8086172034f6
  • a8c21cb9dea1c9bc62adcc6de4a73c7971ea797ab4fdb93320532647625e22ba
  • 6f7f142089b1d2e48880f59362c7c50e5d193166bdd5e4b27318133e8fe27b2c
  • 399563e798edd4a9e1a89209b1b350a4e1197786c23c0986a1a965446e7d5474
  • a8c21cb9dea1c9bc62adcc6de4a73c7971ea797ab4fdb93320532647625e22ba

PivNoxy

  • a638cce32a01f63febe2d21b02ef9f6f6c6c59e2107a043eb2ae547ff9a1d776
  • 8ceb84e33db56092618f763771630b0759d7122d5df5afaeb4c1ebc9e72ed7f1
  • a4cbae07c1d674d41c1297be4e0c19b2f138c2ef29db16b5edc528026dc4e717
  • 6ab62f7cd1c4a00c200cd130afa7352bb6e536e324cb9ead13e01e54146bb112
  • af7d3f46c32f4040dbfb6f85d6db1471e29c4a9290654d3f44351e316f05fba5
  • a557eed41c5e021209c7e3a3eada10abf43e2bfabf930552b6cb7a4b7568b971
  • d49c0d6113a9928486e35a7013d9c09a52743bd8fe84712e27c54fcac9b9e31e
  • 53c7ab494527a8118f89ba99dea51b223f98e368e687f42d31925945b0282e87

Newer Chinoxy variants

  • c8934c7b3187e48b1ee44fc2c8e1c3ab19850efc1e45383442cfe4b9b4a06d01
  • d59278ff54d30176263deadcb7d21ba6f9b7eb1139e3dcd6f7ea534183f96c92

Chinoxy dropper

  • cdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe
  • f8a8ccfa6426f27da75649dbef26213aae6137f726d29232e45e4183391016bf
  • 9f93a50cadd762d36788ce1c8d5deb2d26e109f717f3e2d4d5c8f0d3344de725
  • a8f1e7eccae75e840b1d6982b06ee322ceaed65ade23a10d17c8414e5a522110
  • 6a8ba940d40be935ffc623b5fadfdb4537c1787fedf5889021b0ceb65dfa809d
  • 59ea7516b2a028e5cad938534099f45b5d28f7cfa32d268a8bdcbe5f6320b5a6
  • 07a37e52533bf26f5d506c69e748f479de5dcd416103f8d7a4a06c948e1051ad
  • 152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914
  • 947760b4f688863708741457297d74810ad45e20e2c02d91b54b056716803777
  • 3f21e0b3ef80fd9393c6e187311a78aee22738f510ed227397249157b131b890
  • 3c9d802f617aab4c6973cef74d2509fea00ee8454681c40df09a4734946e5125
  • 82f8cf41aa720e268ee0c6e43cd52512ea4a2f98a51844071e0faaf1eb13ce62

PivNoxy dropper

  • 2bebd0989d1d8c6bb681217399281640521d61ce207f358a4340377898ed44c5
  • 6485d76e645d2f7e27a20d072f07c282583f21ec42801de588193d01b591a957
  • 8dfda79f7848a41f0a8f7a68096fcb6783ace3f3430ae3d7d05fed1ad4533fe0
  • 86c563a8630150934ae7468e074f81914d26b978c32571ce9f4d9b349dc03349
  • 72a7341805713327f09f881bc7184610ed28101bfbda93fd829d0d52978c22eb
  • 4d9af80dad6dcdfe37931094c42296d53ef6d98b633db32503d7972fd7e0e3f6
  • e537b6eb903d9bb9b3cb0e63f9fddf2afa0875af7558b5bec3c98cebf1452e01
  • c25ae716a651c7c846871275bfde7188224628e3380fd6f256aacba1cb15ad61
  • 289ce24d873986d607ab8e43f499be562fa4925d2b5be16bb31ce68a00b4020a
  • f229239ed7665338961eec60a17bcca0fed1eb957b0e751dd991ce664140d79c
  • 5c2a6b11d876c5bad520ff9e79be44dfbb05ee6a6ff300e8427deab35085bef6

Newer Chinoxy dropper

  • ab49e15c0a0e4f977748faae36255889c2239cde847ed49304881c123b9a0e99
  • 8d7d259ac375171c59ac81ba9a16949ac7277c8ed3841c229ce48def0358c96e
  • a8d92ace0ea438759428877a32cd92f73790d86d0e3384317c04a9ae4ed30c55
  • c44be5ed5c4bec2be72ce9737bde5a2d48fe5fb0ea235ddc61ba447b26642949
  • d863f559ba323625f20721e910bf920ee73a5303f6edadbec2aa670b640e01c8
  • f309b42845ca3e36e0bb6ec68f424a11ff8f77642afc3bd4425118dc0d2514e0


Network IOCs

  • goog1eupdate[.]com
  • myhost[.]camdvr[.]org
  • mfaupdate[.]com
  • eofficeupdating[.]com
  • 58[.]64[.]184[.]201
  • cdn[.]cloudistcdn[.]com
  • q.cloudistcdn.com
  • beautygirl[.]dynamic-dns[.]net
  • 784kjsuj[.]dynamic-dns[.]net
  • frontbeauty[.]dynamic-dns[.]net
  • instructor[.]giize[.]com