{
	"id": "37d9949b-ed0e-4b7a-bf2e-abb0aedfcd8c",
	"created_at": "2026-04-06T00:22:09.278123Z",
	"updated_at": "2026-04-10T03:20:19.726929Z",
	"deleted_at": null,
	"sha1_hash": "0bcf0659c8c36fb16af983d686f77f1a9742e217",
	"title": "ChessMaster Adds Updated Tools to Its Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109666,
	"plain_text": "ChessMaster Adds Updated Tools to Its Arsenal\r\nBy By: Tamada Kiyotaka, MingYen Hsieh Mar 29, 2018 Read time: 7 min (1963 words)\r\nPublished: 2018-03-29 · Archived: 2026-04-05 18:07:05 UTC\r\nTrend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect\r\nour customers. At the time, we found ChessMaster targeting different sectors from the academe to media and\r\ngovernment agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target\r\norganizations.\r\nBack then, we noted that ChessMaster's sophisticated nature implied that the campaign could evolve, before\r\nfinding changes in the tools and tactics used in the campaign a few months later.  While the original campaign was\r\ncomprehensive and used remote access Trojans (RATs) such as ChChes and RedLeaves, this new campaign used a\r\nnew backdoor (Detected by Trend Micro as BKDR_ANEL.ZKEI) that leverages the CVE-2017-\r\n8759 vulnerability for its cyberespionage activities.\r\nIn this blog post, we analyze ChessMaster's current status, including the updated tools in its arsenal — with a\r\nparticular focus on the evolution of ANEL and how it is used in the campaign.\r\n \r\nJuly ChessMaster\r\nCampaign\r\nNovember ChessMaster\r\nCampaign\r\nCurrent ChessMaster Campaign\r\nPoint of\r\nEntry\r\nSpear-phishing\r\nemails\r\ncontaining\r\ndecoy\r\ndocuments\r\nMalicious\r\nshortcut (LNK)\r\nfiles and\r\nPowerShell\r\nSelf-extracting\r\narchive (SFX)\r\nRuntime packers\r\nSpear-phishing\r\nemails containing\r\ndecoy documents\r\nexploiting CVE-2017-8759\r\nSpear-phishing emails\r\ncontaining decoy documents\r\nexploiting  CVE-2017-11882,\r\nDDEAUTO, Microsoft Office\r\nFrameset and Link auto\r\nupdate\r\nNotable\r\nTools\r\nHacking Tools\r\nSecond-stage\r\npayloads\r\nKoadic\r\nHacking Tools\r\nSecond-stage\r\npayloads\r\nKoadic\r\nHacking Tools\r\nSecond-stage payloads\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 1 of 9\n\nBackdoor ChChes ANEL ANEL\r\nTechnical Analysis\r\nintel\r\nFigure 1. Infection Chain for the current ChessMaster campaign\r\nChessMaster’s current iteration starts off with the familiar phishing attacks seen in the earlier campaigns that\r\ninvolved the use of an email with an attached malicious document using the doc, docx, rtf, csv and msg formats.\r\nThe email title and attached file name were written in Japanese and contain general business, political, and\r\neconomy-themed phrases such as\r\n世界経済(World economy)\r\n経済政策(economic policy)\r\n予算概算要求(budget estimation request)\r\n日米対話(Japan-US dialogue)\r\n安倍再任(re-appointment of Prime Minister Abe)\r\n連絡網(contact network)\r\n職員採用案(staff recruitment plan)\r\n会議(meeting)\r\nHowever, there is a change in the exploit document. When we tracked ChessMaster back in November, we noted\r\nthat it exploited the SOAP WSDL parser vulnerability CVE-2017-8759 (patched in September 2017) within the\r\nMicrosoft .NET framework to download additional malware. While ChessMaster still uses the previous exploit, it\r\nalso added more methods to its arsenal: one exploits another vulnerability, CVE-2017-11882news article (patched\r\nin November 2017), which was also exploited to deliver illegal versions of the Loki infostealer.\r\nintel\r\nFigure 2. Exploitation of CVE-2017-11882\r\nIt also abuses three legitimate MS Office functions:\r\nFunction Purpose\r\nAffected MS Office\r\nFormats we found in the\r\nwild\r\nAutomatic Dynamic Data\r\nExchange (DDEAUTO)\r\nA legitimate Microsoft Office function\r\nused in an Office file to retrieve data from\r\nanother Office file  \r\n.doc\r\n.rtf\r\n.msg\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 2 of 9\n\nLink Auto Update\r\nAn Office function used for automatic and\r\nuser-free updates for embedded links upon\r\nopening.\r\n.csv\r\nMicrosoft Word's\r\n\"Frames/Frameset\"\r\nA feature that allows HTML or Text pages\r\nto be loaded in a frame within Microsoft\r\nWord.\r\n.docx\r\nintel\r\nFigure 3. Exploitation of DDEAUTO\r\nintel\r\nFigure 4. Abusing Microsoft Word's \"Frames/Frameset\"\r\nintel\r\nFigure 5. Exploitation of Link Auto Update\r\nChessMaster can utilize any of these methods to download the next malware in the chain, the open source post-exploitation tool known as “Koadic,” which the previous campaign also used. This tool is responsible for stealing\r\ninformation — specifically the environment information — within the target system. Koadic executes the\r\nfollowing command:\r\n%comspec% /q /c \u003ccmd\u003e 1\u003e \u003cOutput\u003e 2\u003e\u00261\r\nThe commands and output of Koadic will change according to the ANEL version used in the attack. The table\r\nbelow lists examples of the commands and outputs for ANEL versions 5.1.1 rc and 5.1.2 rc1. Note that if ANEL\r\n5.1.2 rc1 was downloaded, the attacker would use HTTPS to avoid the downloaded data being captured as clear\r\ntext.\r\nintel\r\nFigure 6. Koadic commands and output when ANEL 5.1.1 rc is used\r\nintel\r\nFigure 7. Koadic commands and output when ANEL 5.1.2 rc1 is used\r\nThe table below lists all of Koadic's functions:\r\n{Variable}.user User-related functions\r\n{Variable}.user.isElevated Check Privilege\r\n{Variable}.user.OS Get OS Version\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 3 of 9\n\n{Variable}.user.DC Get DCName from Registry\r\n{Variable}.user.Arch Get Architecture\r\n{Variable}.user.info Get User Information\r\n{Variable}.work\r\nMain Routine functions\r\n{Variable}.work.report Reports to server\r\n{Variable}.work.error Returns error\r\n{Variable}.work.make_url Alters/Modifies URL (C\u0026C)\r\n{Variable}.work.get Get the return of POST Header\r\n{Variable}.work.fork Creates rundll32.exe process\r\n{Variable}.http\r\nHTTP Connection functions\r\n{Variable}.http.create Creates initial HTTP objects\r\n{Variable}.http.post POST header\r\n{Variable}.http.addHeaders Adds HTTP Headers\r\n{Variable}.http.get GET Header\r\n{Variable}.http.upload Uploads binaries/data\r\n{Variable}.http.bin2str String manipulation\r\n{Variable}.http.downloadEx Downloads response\r\n{Variable}.http.download Additional download function\r\n{Variable}.process\r\nProcess-related functions\r\n{Variable}.process.currentPID Get Current Process ID\r\n{Variable}.process.list Enumerates Process\r\n{Variable}.process.kill Terminates Process\r\n{Variable}.registry Registry-related functions\r\n{Variable}.registry.HKCR Set HKEY_CLASSES_ROOT\r\n{Variable}.registry.HKCU Set HKEY_CURRENT_USER\r\n{Variable}.registry.HKLM Set HKEY_LOCAL_MACHINE\r\n{Variable}.registry.STRING Set String Value\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 4 of 9\n\n{Variable}.registry.BINARY Set Binary Value\r\n{Variable}.registry.DWORD Set DWORD Value\r\n{Variable}.registry.QWORD Set QWORD Value\r\n{Variable}.registry.write Write/Add Registry\r\n{Variable}.registry.provider Create Registry Handle\r\n{Variable}.registry.destroy Deletes Registry Key\r\n{Variable}.registry.read Get/Read Registry Entries\r\n{Variable}.WMI\r\nWMI-related functions\r\n{Variable}.WMI.createProcess Creates specified process\r\n{Variable}.shell\r\nFile/Process Execution functions\r\n{Variable}.shell.run Run commands\r\n{Variable}.shell.exec Executes process\r\n{Variable}.file\r\nFile-related functions\r\n{Variable}.file.getPath Get specified file path\r\n{Variable}.file.readText Reads specified text file\r\n{Variable}.file.get32BitFolder Get System Folder (32/64-bit)\r\n{Variable}.file.writol Writes on specified file\r\n{Variable}.file.deleteFile Deletes specified file\r\n{Variable}.file.readBinary Reads specified binary file.\r\nintel\r\nFigure 8. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec command)\r\nIf Koadic finds that the system is conducive to the attacker’s interests, it downloads a base64-encrypted version of\r\nthe ANEL malware from the Command-and-Control (C\u0026C) server and executes it.  Encrypted ANEL is decrypted\r\nusing the “certutil -docode” command. When ANEL executes, a decrypted DLL file with the filename\r\n“lena_http_dll.dll” is expanded in memory. This file contains one export function — either “crt_main” or\r\n“lena_main”\r\nintel\r\nFigure 9. Base64 encoded ANEL downloaded by Koadic\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 5 of 9\n\nANEL will send the infected environment’s information to the C\u0026C server. When sending the information, ANEL\r\nencrypts the data using blowfish, XOR, and Base64-based encryption methods. The format ANEL uses to send\r\ndata is similar to ChChes, but ANEL's encryption method is easier to use.\r\nintel\r\nFigure 10. Encryption key using blowfish\r\nWe initially discovered the malware known as ANEL back in September 2017. At that time, ChessMaster was\r\nusing ANEL as a backdoor into the target system then injects code into svchost.exe, which then decrypts and\r\nactivates the embedded backdoor. This initial version of ANEL had a hardcoded version labeled “5.0.0 beta1” that\r\ncontained incomplete code. We noted that this might signify the release of a future variant. Instead of just one new\r\nvariant, we discovered four different versions of ANEL:\r\n5.0.0 beta1\r\n5.1.1 rc\r\n5.1.2 rc1\r\n5.2.0 rev1\r\nThe different versions contain changes in the ANEL loader and the main ANEL DLL. The figure below shows a\r\nsummary of the changes between each version:\r\nintel\r\nFigure 11. Summary of the changes between each version of ANEL\r\nDifferences with regards to Backdoor commands:\r\nCMD ID 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 5.2.0 rev1\r\n0x97A168D9697D40DD Save File\r\n0x7CF812296CCC68D5 Upload File\r\n0x652CB1CEFF1C0A00 NA Load New PE file\r\n0x27595F1F74B55278 Save File and Execute\r\nIf no match above Execute Command or File\r\nThe differences shown in the table above are subtle but present. For example, the initial ANEL version, “5.0.0\r\nbeta1,” uses a different C\u0026C server compared to the other versions. Once ANEL evolved to “5.1.1 rc,” it changed\r\nits file type to an executable, while also changing the C\u0026C server. The third version we found (5.1.2 rc1) reverts\r\nto a DLL file type but retains the C\u0026C server. The fourth version of ANEL (5.2.0 rev1) changes both the export\r\nfunction in the expanded main ANEL DLL and uses a different C\u0026C server. Overall, we can see subtle changes,\r\nwhich indicate that the threat actors behind ANEL are making incremental improvements to the malware to refine\r\nit.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 6 of 9\n\nintel\r\nFigure 12. Backdoor function differences between ANEL 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 (left) and ANEL 5.2.0 rev1\r\n(right)\r\nOnce ANEL enters the user’s system, it will download various tools that could be used for malicious purposes,\r\nincluding password retrieval tools as well as malicious mail services and accessibility tools that will allow it to\r\ngather information about the system. These include Getpass.exe and Mail.exe, which are password and\r\ninformation stealers. It also downloads the following:\r\nAccevent.exe \u003c-\u003e Microsoft Accessible Event Watcher 7.2.0.0\r\nevent.dll \u003c-\u003e the loader of ssssss.ddd, (Detected as TROJ_ANELLDR)\r\nssssss.ddd (lena_http.bin) \u003c-\u003e encrypted BKDR_ANEL (Detected as BKDR_ANELENC)\r\nThese three files work together using a common technique call DLL Side-Loading or DLL Hijacking. In this\r\nscenario, accevent.exe is the primary executable, which is usually legitimate.\r\nAfter the execution of accevent.exe, it loads event.dll, which will be placed in the same folder (so it takes loading\r\npriority), after which event.dll decrypts and loads the encrypted backdoor ssssss.ddd, which is BKDR_ANEL.\r\nWhen we analyzed ANEL 5.1.1 rc, encrypted ANEL 5.1.2 rc1 was downloaded and executed.\r\nShort-term mitigation\r\nWhen the user opens the document DDEAUTO or Link Auto Update, Office will display a message. If the user\r\nclicks on the “No” button, malicious activity will not initiate.\r\nintel\r\nFigure 13: Popup message when users open the document that abuses DDEAUTO\r\nintel\r\nFigure 14. Popup message when the user opens the document that abuses Link Auto Update\r\nKoadic sends its own JavaScript code as plain text. The suspect communication allows us to detect the traffic.\r\nintel\r\nFigure 15. Koadic’s communication traffic\r\nMedium- to long-term mitigation\r\nAt first glance, it seems ChessMaster’s evolution over the past few months involves subtle changes. However, the\r\nconstant addition and changing of features and attack vectors indicate that the attackers behind the campaign are\r\nunlikely to stop and are constantly looking to evolve their tools and tactics.\r\nOrganizations can implement various techniques and best practices to defend against targeted attacks, such as\r\nregular patching to prevent vulnerability exploitation and using tools that provide protection across different\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 7 of 9\n\nnetwork levels. Solutions that feature behavior monitoring, application controlproducts, email gateway\r\nmonitoring, and intrusion/detection systems can help with this.\r\nGiven how cybercriminal tools, tactics and procedures are evolving, organizations will have to go beyond their\r\ntypical day-to-day security requirements and find a way to preempt attacks. Thus, there is a pressing need to detect\r\nand address threats via a proactive incident response strategy. Essentially, this involves creating a remediation plan\r\nfor effectively combating the threat and using round-the-clock intrusion detection and threat analysis to prevent\r\nattacks from entering the system. A proactive strategy can be much more effective for targeted attacks, as these\r\nkinds of attacks are often designed to be elusive and difficult to detect, thus the need to scope them out. A\r\ncomprehensive security strategy that involves proactive incident response will need the input of both decision\r\nmakers and tech-savvy personnel, as they will need to be on the same page for it to be effective.\r\nIn addition to implementing both mitigation techniques and proactive strategies, organizations can also strengthen\r\ntheir security by employing solutions such Trend Micro™ Deep Securityproducts™ and TippingPoint, which\r\nprotects endpoints from threats that abuse vulnerabilities.\r\nIn addition, comprehensive security solutions can be used to protect organizations from attacks. These include\r\nTrend Micro endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts and Worry-Free™ Business Security, which can protect users and businesses from these threats by detecting malicious files,\r\nwell as blocking all related malicious URLs. Trend Micro Deep Discovery™products can protect enterprises by\r\ndetecting malicious attachment and URLs.\r\nTrend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other\r\ndetection technologies and global threat intelligence for comprehensive protection against all kinds of threats. A\r\nmore detailed analysis of the Command-and-Control communication flow of ANEL can be found in this technical\r\nbrief.\r\nIndicators of Compromise\r\nHash Downloader used in the campaign:\r\n76b1f75ee15273d1226392db3d8f1b2aed467c2875e11d9c14fd18120afc223a\r\n4edcff56f586bd69585e0c9d1d7ff4bfb1a2dac6e2a9588f155015ececbe1275\r\n1b5a1751960b2c08631601b07e3294e4c84dfd71896453b65a45e4396a6377cc\r\nHashes detected as part of the BKDR_ANEL Family: 5.0.0 beta1\r\naf1b2cd8580650d826f48ad824deef3749a7db6fde1c7e1dc115c6b0a7dfa0dd\r\n5.1.1 rc\r\n2371f5b63b1e44ca52ce8140840f3a8b01b7e3002f0a7f0d61aecf539566e6a1\r\n5.1.2 rc1\r\n05dd407018bd316090adaea0855bd7f7c72d9ce4380dd4bc0feadc6566a36170\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 8 of 9\n\n5.2.0 rev1\r\n00030ec8cce1f21120ebf5b90ec408b59166bbc3fba17ebae0fc23b3ca27bf4f\r\nlena_http.bin\r\n303f9c00edb4c6082542e456a30a2446a259b8bb9fb6b0f76ff318d5905e429c\r\nTools used in the campaign:\r\nGetpass.exe\r\n52a8557c8cdd5d925453383934cb10a85b117522b95c6d28ca097632ac8bc10d\r\nevent.dll\r\n6c3224dbf6bbabe058b0ab46233c9d35c970aa83e8c4bdffb85d78e31159d489\r\nmail.exe\r\n2f76c9242d5ad2b1f941fb47c94c80c1ce647df4d2d37ca2351864286b0bb3d8\r\nURLs and IP Addresses related to the campaign:\r\nwww[.]nasnnones[.]com\r\ntrems[.]rvenee[.]com\r\ncontacts[.]rvenee[.]com\r\n91[.]207[.]7[.]91\r\n89[.]18[.]27[.]159\r\n89[.]37[.]226[.]108\r\n185[.]25[.]51[.]116\r\n185[.]81[.]113[.]95\r\n185[.]144[.]83[.]82\r\n185[.]153[.]198[.]58\r\n185[.]159[.]129[.]226\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/"
	],
	"report_names": [
		"chessmaster-adds-updated-tools-to-its-arsenal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0bcf0659c8c36fb16af983d686f77f1a9742e217.pdf",
		"text": "https://archive.orkl.eu/0bcf0659c8c36fb16af983d686f77f1a9742e217.txt",
		"img": "https://archive.orkl.eu/0bcf0659c8c36fb16af983d686f77f1a9742e217.jpg"
	}
}