ChinaZ Updates Toolkit by Introducing New, Undetected Malware

Written by Ignacio Sanmillan

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs


    ChinaZ is a Chinese cybercrime group and the author of several DDoS malware. We have profiled this group in a previous article discussing connections between ChinaZ and other Chinese threat actors.

    Recently, we have discovered new tools being utilized by ChinaZ which have low detection rates in comparison to the group’s other, more common malware.

    new tools being utilized by ChinaZ

    VirusTotal detection rate of one of the discovered samples

    Some of the components reported in this article have been present in the wild for at least one year, which implies the active state of this group. We have based this conclusion upon seeing that the first submission was made to VirusTotal one year ago:

    VirusTotal analysis of an older, related sample

    VirusTotal analysis of an older, related sample

    We believe this may be an attempt by ChinaZ to retool its current toolset, using new malware with low detection rates to accomplish its operations, since the group has received more attention from the infosec community in recent years.

    The new malware samples seem to implement a combination of backdoor and DDoS bot capabilities to mainly target Linux servers. However, we do not discount the possibility that Windows variants may exist, since this is a recurrent pattern we have observed from ChinaZ malware in the past.

    In addition, we were able to retrieve a CNC binary from one of the samples, which has enabled us to learn more about the network protocol along with some of the malware’s capabilities.

    In this post, we will present the technical findings of those tools, including a technical analysis of the files and network protocols.

    Technical Analysis

    We’ve received several hits of suspicious files from VirusTotal Intelligence that communicated with given subdomains under the domain All of the identified subdomains were hosting several HttpFileServer panels, web servers specifically designed for publishing and sharing files. ChinaZ is known to have used these types of panels in the past.

    HttpFileServer panel of one of the identified servers
    HttpFileServer panel of one of the identified servers

    Based on VirusTotal passive DNS records, it appears that some Windows malware samples were also hosted on some of these subdomains:

    VirusTotal Intelligence graph from one of the discovered samples

    VirusTotal Intelligence graph from one of the discovered samples

    After analyzing some of the Windows binaries we observed that based on code reuse analysis, the majority of these files seem to be variants of Gh0st or ServStart, modified Chinese RATs with DDoS capabilities known to be leveraged by ChinaZ in the past.

    These samples are also infected by common PE file infectors such as Sality, Parite, and Virut. ChinaZ has a reputation for deploying infected malware compromised with these aforementioned file infectors:

    Sality genes from one of the hosted Windows malware samples
    Sality genes from one of the hosted Windows malware samples

    As seen in the screenshot above, a Gh0st RAT instance deployed by ChinaZ contains code from Sality. This implies that the subject Gh0st RAT is infected with Sality. We documented this same pattern in our previous article on the subject matter. This finding may imply that these new malware samples may be operating from the same servers as other malware under the ChinaZ umbrella.

    Furthermore, when we analyze the newly discovered samples using Genetic Malware Analysis, we observed that they all share the same ratio of genes across several malware families related to ChinaZ threat actors.

    Genetic Malware Analysis across samples under the ChinaZ umbrella
    Malware Analysis across samples under the ChinaZ umbrella

    After analyzing these connections we observed that they all have been statically compiled with specific versions of some C++ libraries.

    C++ function similarities between one of the identified samples and a XorDDoS instanceC++ function similarities between one of the identified samples and a XorDDoS instance

    These code similarities are from C++ statically linked library code, which at first glance are often considered non-attributive. However, based on the high number of code connections between hundreds of other malware samples related to ChinaZ, we can interpret them as if the authors of these newly discovered samples will be using the same compiler version or toolchain to generate their implants as the one used by a large number of ChinaZ threat actors.

    Among the different identified samples we were able to classify three variants with different functionalities. Each of these variants were found hosted together and often sharing the same CNC server. The following section includes an analysis of each of the new implants we discovered.

    1. NewManager

    NewManager is a minimalistic backdoor with arbitrary command execution and file upload capabilities. The functionality of the backdoor is fairly simple in logic. NewManager is intended to be executed as root, therefore we can assume the backdoor is used as a stager when a given target is compromised.

    The backdoor will daemonize itself and set persistence mechanisms. These persistence mechanisms are primarily based on setting symbolic links to specific directories in which the presence of those symbolic links implies file execution on boot time. These mechanisms are predominant among all discovered samples.


    We have observed that across the discovered implants the name of the persistent binary will be set differently. The name used to label NewManager was ‘new manager’, therefore its name:

    The malware will then execute a series of functions

    The malware will then execute a series of functions that will initialize the communication with the CNC to start receiving commands.

    The client will collect interface information from /proc/net/dev and cpu information from /proc/stat

    The client will collect interface information

    Functions executed prior to CNC command handling

    This collected information serves to inform the operator of the network interface and cpu performance of the compromised machine.

    After this information is collected, the client will craft the beaconing packet that will be sent periodically to send interface and cpu statistics to the CNC.

    cpu statistics to the CNC.

    After analyzing the network protocol we observed that packets are crafted in a similar manner, although they will differ depending on the payload based on the command type sent. In order to show the packet’s structure, the following diagram shows the beaconing packet:


    After this specific information is configured to be sent in intervals to the CNC, the backdoor will send its own handshake packet.

    fter this specific information is configured to be sent in intervals to the CNC

    This packet transfers the kernel version to the backdoor operator. Once this command is sent, the operator will be able to see the compromised machine on its panel:

    backdoor operator.

    NewManager CNC panel

    NewManager supports three commands. They are the following:

    Command ID Specification
    Execute command 0x11000011 Executes an arbitrary bash command
    Create file 0x11000002 Creates a file on an arbitrary path
    Read file 0x11000003 Reads a file on an arbitrary path

    The command ID after packet parsing is fairly straightforward on the backdoor’s side.

    The command ID after packet parsing
    Command selection implementation in NewManager

    2. A

    The second piece of malware we were able to analyze is AmpManager.

    The reason we named this malware AmpManager is due to its resemblance to NewManager, however, it appears that the spectrum of supported commands is wider, implementing more functionalities along with a range of DDoS attack methodologies.

    Although AmpManager and NewManager share most of their code base and CNC communication protocol, there are more commands implemented in AmpManager and some command IDs do not match with the command IDs implemented by NewManager.

    For that reason—although we see a high volume of code reuse—we consider AmpManager to be a different malware, although it’s clear that NewManager is AmpManager’s predecessor.

    The name AmpManager chooses to persist in a given system is shown below:

    The following is an overview of the command implementation code:

    command implementation code:
    Command selection implementation in AmpManager

    As we can see, the command implementation code is broader than the one NewManager implements. One of the main differences between AmpManager and NewManager is AmpManager introduces DDoS attacks among other features.

    There are three different DDoS attack methodologies implemented: SSDP, DNS, and NTP amplifications.

    SSDP flood UDP header

    SSDP flood UDP header

    These floods have some configurations set under the /etc/ directory that will impact the number of iterations that each flood will run for.

    These floods have some configurations

    The following table shows the supported commands implemented in AmpManager:

    Command ID Specification
    NTP amplification 0x11000002 Executes a NTP amplification flood against a target IP address
    Send flood configurations 0x11000003 Send the established configurations for each flood to the CNC
    SSDP amplification 0x11000006 Executes a SSDP amplification flood against a target IP address
    All amplifications 0x11000007 Executes all implemented amplification floods against a target IP address
    DNS amplification 0x11000008 Executes a DNS amplification flood against a target IP address
    Download HTTP 0x11000009 Downloads a given file to a target path via HTTP GET
    Execute command 0x11000011 Executes a target bash command in the target machine
    Update current time 0x11000012 Saves the time via gettimeofday
    Apply flood configurations 0x11000023 Applies flood configurations for each respective DDoS methodology

    3. DDoSManager

    In contrast to the two previously reported malware samples, DDoSManager seems to be based on a completely different code base and network protocol.

    Although its overall functionality is similar to AmpManager due to the fact that it’s also a DDoS bot, uses the same persistence mechanisms and overall preliminary functionality before CNC communication, it’s important to highlight that DDoSManager uses different DDoS attack methodologies than AmpManager.

    In addition, we noticed that this sample contains known Elknot/BillGates artifacts, which are some of the most popular malware families leveraged by ChinaZ.

    The following is a small write up from a report by Novetta covering in detail the internals of BillGates malware.

    If we take a closer look, we can see that these two C++ classes are also used in DDoSManager:



    This reinforces the connection between these malware samples and the developers of Elknot/BillGates, and with respect to the ChinaZ umbrella, in addition to the connections explained previously.

    As is the case with the previous samples, DDoSManager commences by setting persistence mechanisms. The techniques applied are the same ones covered in NewManager and AmpManager as previously mentioned. DDoSManager will use the name SingTool to masquerade itself:


    Interface and performance information will be collected as with the previous samples. However, an additional thread will be launched.


    This thread is in charge of listening for packets to then decode and parse them for CNC communication.

    CNC communication.

    When we intercepted the network traffic we noticed that the traffic was encoded:

    the traffic was encoded

    After analysis we observed that packets were encoded and decoded with a simple sub/xor algorithm. This algorithm is the following:

    mple sub/xor algorithm. This algorithm

    After applying this algorithm to each given packet, we can retrieve their plain text version. The following is the structure of each packet after decoding:

    the structure of each packet

    Furthermore, the command ID will be extracted from each packet in order to execute the desired task.

    command IDCommand selection implementation in DDoSManager

    DDoSManager supports a total of seven commands. These are the following:

    Command ID Specification
    Read configuration 0x64 Configuration is retrieved to the CNC
    Write configuration entry 0x65 Entry is added to the configuration file
    HeartBeat 0x66 Beaconing command
    Not implemented 0x67 Not implemented
    Execute Manager Function 0x68 Invoke internal manager function
    Stop command 0x69 Stop an ongoing command
    Execute DDoS attack 0x6a, 0x6b, 0x6c Execute a DDoS flood on a target IP address

    The malware sets a configuration file for the targets it will attempt to DDoS. This configuration file is located at /tmp/Cfg.9:

    his configuration file is located at /tmp/Cfg.9

    When a DDoS command is executed, a series of fields will be provided from the CNC packet in order to execute the command. These fields are clearly shown on a debug message in the binary:

    DDoS command is executed

    There are three different DDoS amplification algorithms supported. These are SYN, UDP, and DNS amplifications. Interestingly, in the analyzed samples of DDoSManager we found that the DNS amplification algorithm was not implemented.

    DDoS amplification algorithms


    We have analyzed three new malware variants in which we have named NewManager, AmpManager, and DDoSManager.

    These three variants were found to be hosted together, sharing the same CNC address, and are nearly identical in terms of overall preliminary functionality.

    Some of the servers where the malware is hosted are also serving Windows DDoS bots based on modified versions of Chinese RATs such as Gh0st and ServStart. It is well-known that ChinaZ has utilized these malware families in previous campaigns.

    In addition, we presented evidence that the Windows implants were infected with common PE file infectors, also resembling a known pattern of ChinaZ Windows malware samples seen in the past.

    Furthermore, we highlighted the use of a common compiler/toolchain used to generate the discovered binaries which seems to be shared across a high number of samples belonging to the ChinaZ umbrella. We also found artifact similarities between the BillGates malware and DDoSManager, specifically the name of two core C++ classes used by the malware.

    A technical analysis of the overall functionality and network protocol for each of the discovered samples was provided explaining their main features and capabilities.

    We believe these findings indicate the need by some ChinaZ threat actors to update their malware toolsets, since they have not conducted a major retooling process in years, and the majority of the older malware utilized by this group is largely detected by Anti-Virus engines.

    The code from these samples are now indexed in Intezer Analyze so users can detect and classify NewManager, AmpManager, DDoSManager, and other threats that share code with these malware. We have also generated a YARA rule which can be used by organizations to hunt for additional samples of these threats.

    For more information about ChinaZ and code reuse connections between Chinese threat groups, download the Chinese DDoS Threat Landscape report.



    Ignacio Sanmillan

    Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer\'s malware hunting and investigation operations, analyzing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducting projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt