Chinese cyber-espionage group Codoso ‘back in action’

Security researcher firm Palo Alto Networks is reporting that a Chinese adversary group C0d0so0 or “Codoso” has reappeared. 

Signs of the group, which had been silent, appeared in test results while looking into unknown malware and attack campaigns.

The group is known for the attack on, in which the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit. It then went on to attack the payment processing systems behind Samsung Pay.

Codoso has been known to use sophisticated tactics and tools and has been linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear-phishing attacks.

Now back from what appears to be a three-month hiatus, the group does not seem to have a clear direction or purpose for these recent attacks and appear to be harvesting information on random internet users, probably building a database of possible pawns for future attacks.

The malware Codoso is currently using is a new variant of the Derusbi family which works by using DLL side-loading techniques to inject malicious content in legitimate applications. This helps the malware to go undetected by security tools and alter registry keys to gain boot persistence.

Once in action, the malware will collect data about targets and send it to one of three remote C&C servers in Hong Kong. The malware collects IP addresses, MAC addresses, usernames, hostnames, CPU details and Internet Explorer user agent strings. 

It's likely that the attacks were initially delivered via spear-phishing e-mails, or as demonstrated by Codoso in the past, legitimate websites that had been previously compromised then used as watering holes.

The victims would be redirected to a set of compromised websites that host malware which would be side-loaded with a legitimate signed executable. Two variants of the malware employed by Codoso were discovered: one that used HTTP for command and control (C2) communications and one that used a custom network protocol over port 22.

In blog post, Palo Alto said that Unit 42 will continue observation and research on this group's activities and that it suspects this may be the early stage of a more dangerous attack. 

Leo Taddeo, chief security officer at Cryptzone, told, "The attacks are likely not random. By targeting high tech industries, such as telecommunications, manufacturing and legal services, it seems clear the Codoso activity is reconnaissance for future attacks to obtain valuable business information."

He went on to explain: “China is still among the most prolific state actors deploying cyber-espionage to provide state-owned enterprises an economic advantage. Despite the recent agreement with the US to curtail such activity, it is not likely we will see them slow down any time soon.” 

Commenting by email, Guy Bunker, senior VP products at Clearswift, said, “While there appears no specific target, the target today is more often around information – and this is the case with Codoso. For many businesses there is a challenge to understand what their critical information is and where it can be found in order to protect it. Codoso targeting seemingly random information indicates that they can get information from anywhere it may be held. As with most cyber-attacks, there is no silver bullet and a layered security approach is required.

“This needs to prevent malware from getting in and also preventing the exfiltration of information. This needs to be coupled with a proactive education and awareness programme for employees. Sending out information about how attacks can occur and what to watch out for will help improve the security posture. By compromising legitimate websites, Codoso is making the detection of information-borne malware more difficult, however functionality such as structural sanitisation in adaptive data loss prevention solutions can mitigate this.”

Bunker added: “There is no end in sight for groups such as Codoso, and as information becomes increasingly simple to buy and sell, there is a continued need to remain vigilant, and people should be a key part of this, in conjunction with policies and technology to back them up.” 

Bryan Lillie, Chief Technical Officer, Cyber at QinetiQ said that, "The Codoso group is definitely starting to make a name for itself. The attacks that they specialise in exploit multiple zero day hacks and are deliberately designed to be slow. This makes them difficult to detect and also allows the hack to get around traditional cyber security mechanisms, a potent combination that is reflected in the growing awareness of the group."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.