{
	"id": "0f2c549a-60d1-49c3-8047-0dd547ca81ff",
	"created_at": "2026-04-06T02:13:10.583763Z",
	"updated_at": "2026-04-10T03:20:50.355717Z",
	"deleted_at": null,
	"sha1_hash": "11f26728fd973ab248ad9d75a6ee0e7f7ed2dcc4",
	"title": "Unusual Exploit Kit Targets Chinese Users (Part 2)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 735265,
	"plain_text": "Unusual Exploit Kit Targets Chinese Users (Part 2)\r\nBy Malwarebytes Labs\r\nPublished: 2015-06-11 · Archived: 2026-04-06 01:31:43 UTC\r\nRecently, our researchers identified a strange exploit kit targeting Chinese domains. In that writeup, we talked\r\nabout how the exploit kit operates in great detail, to include infection vectors, the delivered payload executables,\r\nand how the kit will stop in its tracks if the Chinese AV Qihoo 360 is detected.\r\nThis article will discuss the malware delivered from that exploit kit. The malware, which has been identified by\r\nmany vendors on VirusTotal, has been labeled by our researchers as Trojan.Chinad or just “Chinad” as an\r\nalternative (short) label.\r\nObserved Chinad Malware Files:\r\nnotepad.exe (MD5: 5a454c795eccf94bf6213fcc4ee65e6d) pic.jpg (MD5: 4e8639378d7a302c7474b5e4406dd7b4)\r\nimage.png (MD5: 55c447191d9566c7442e25c4caf0d2fe) 5003.tmp\r\n(MD5: d6ce4b6db8407ca80193ede96d812bb7) – Real Name, “Module_UacBypass.dll”\r\nNotepad.exe (Chinad)\r\nSummary\r\nNotepad.exe (“Chinad”) behaves much like a typical bot client. This binary, along with image.png, is the main\r\ncomponent of the Chinad malware.\r\nThe Chinad bot sends network requests to a remote server where it will then receive commands to carry out\r\nvarious tasks on the victim’s computer. Some of this functionality includes injecting arbitrary shellcode into\r\nitself, although the primary purpose of the bot appears to be for DoS attacks.\r\nDelivery of this Chinad malware executable has been observed via FTP and after successful exploitation of CVE-2014-6332 in Microsoft Internet Explorer.\r\nTechnical Analysis The executable has been compressed with UPX to reduce its size, making network transfers to\r\npotential victims more efficient.\r\nAnd underneath the UPX compression is a rather clean Microsoft Visual C++ executable.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 1 of 13\n\nChinad first creates a mutex with the hardcoded name “Global3672a9586a5f342b2ca070851e425db6” and copies\r\nitself into the users’ System folder if Admin privileges are found, and into the Appdata folder if not:\r\n%windir%SystemInitwininit.exe (\"C:Windows\" being a typical value for %windir%) %appdata%MicrosoftSyst\r\nIt remains persistent on the victim’s system using either a traditional “runkey” registry method or by using the\r\nWindows task scheduler, the commandline for which can be observed below:\r\nC:Windowssystem32schtasks.exe /create /F /sc onstart /tn MicrosoftWindowsShellInit /tr C:WindowsSyste\r\nThis will also launch Chinad as a system user, the account having the highest level of privileges within Windows.\r\nBefore contacting any related malware servers, Chinad will first perform a simple Internet connectivity test, first\r\ntrying to contact www.baidu.com.\r\nChinad will sleep if it has not active Internet connection; otherwise, it will continue to retrieve commands.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 2 of 13\n\nReceiving Commands Receiving commands to execute is done by retrieving a file called “bootstrap.min.css”\r\nfrom a remote server (hardcoded IP address by default). An example of this request can be seen in the image\r\nbelow.\r\nHowever, before Chinad can read any commands, it must first decrypt the retrieved file, which has been encrypted\r\nwith the Salsa20 cipher, identified by the string “expand 32-byte k” and similar decompiled source code.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 3 of 13\n\nCommands accepted by Chinad include:\r\nupdate - Store current cnc and report server info in a encrypted file. Then, download and execute an\r\nThe first command typically received by Chinad from the C\u0026C server is the “update” command, which contains a\r\nparameter with a download url for the updated malware binary. In this case, it is image.png, a slightly more robust\r\nversion of the bot.\r\nCommands appear to be separated by a semicolon, the same syntax used in many modern programming\r\nlanguages, such as C. It appears that multiple commands can be issued at a time, as the “attack_reset” command is\r\nissued next. An example of a full command is seen below:\r\ntimestamp,1431270567; update,http:///image.png?13572v44,44,1,5b7e022f5009004985b34cf091d06752c765a25b\r\nThe timestamp keyword is not actually a command, but has a value that represents a decimal-formatted\r\nFILETIME structure that will be compared with the system’s time. It seems this is used to ensure the malware\r\nonly executes commands during times the botmaster wishes, and allows the botmsater to control when a bot will\r\n“expire”.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 4 of 13\n\nIn the case of the update command, Chinad does something special before updating the malware, in that it first\r\nstores its current configuration information in a Salsa20-encrypted file. If the user has Admin privileges, this file\r\nwill be stored at:\r\n%windir%LogsWMIEventSystemEvent.evt\r\nIf no Admin privileges are available, the file is stored at:\r\n%appdata%MicrosoftSystemwow64.dll\r\nWhen the updated malware is executed, it will first open this file and decrypt its contents to retrieve the last-known address of both the C\u0026C and reporting server.\r\nReporting Information Sending report information is another feature of Chinad, although it is not well understood\r\nat this point in time. Chinad will first make a call to GetAdaptersInfo, which retrieves information about the\r\nvictim’s network adapter, like the name and IP address. Next, it will then execute an algorithm to generate a\r\nspecial value.\r\nAt the time of this writing, we could not ascertain the meaning of this value. In addition, the report server always\r\nresponds to the request with “AAA”.\r\nOne theory is our samples of Chinad have “expired” (invalid timestamp values), and thus the reporting function is\r\nnot working properly. It may also be that the report server used during analysis was simply not working properly.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 5 of 13\n\nRegardless, the values included in the request must have a special meaning that only the report server understands.\r\nWe will update this section if more information becomes available.\r\nAttacking Targets As mentioned earlier, Chinad can receive attack commands, where it will be instructed to attack\r\na specified IP address. Attacks can be carried out over either TCP or UDP sockets. The purpose of this appears to\r\nbe carrying out Distributed Denial of Service attacks, oftentimes abbreviated as DDoS attacks.\r\nOnce the attack thread is created, Chinad will continuously send data to the target, sleeping after it sends data for a\r\ntime specified by the attacker.\r\nIt will not stop attacking a target unless it has been issued another attack command or the attack_reset command.\r\nBelow is an example of data sent to a target over a UDP socket.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 6 of 13\n\nTo generate this data, Chinad retrieves the address of the thread’s tiddata block using the CRT function __getptd.\r\nIt will then mangle returned data somewhat before sending it to the target.\r\nPic.jpg\r\nSummary\r\nAs mentioned in our previous blog, we have observed this Chinad malware being delivered through both Flash\r\nand Java exploits.\r\nPic.jpg is a Dll and requires a parent module (a loader) of either a web browser or java to run it. Like other parts of\r\nthe Chinad set, pic.jpg aims to get the main bot component, image.png, installed on to the victim’s computer. This\r\nis its sole purpose, and can be achieved in several ways, to include exploiting the victim once again.\r\nTechnical Analysis On the exterior, pic.jpg is rather plain and straightforward. The file has no obfuscation applied\r\nand no additional exported functions.\r\nFirst, pic.jpg first performs a simple check of the full path for the loader process on disk. For example, if the\r\nexploit occurred using Flash in a browser, the loader might be at C:Program Files (x86)Internet\r\nExploreriexplore.exe, which is a standard path to Microsft Internet Explorer. Pic.jpg looks for the following\r\nstrings in the path of the loader:\r\njava iexplore.exe mshtml.dll (checks if loaded in memory) chrome.exe firefox.exe safari.exe opera.exe\r\nIf pic.jpg does not find at least one of these strings in the loader process, it will terminate, likely assuming it’s\r\nbeing analyzed. This can sometimes bypass automated analysis systems, like sandboxes.\r\nPic.jpg will then attempt to exploit the TS WebProxy component of Microsoft Windows, a vulnerability\r\ndocumented as CVE-2015-0016. This privilege escalation attack (detailed description from Trend Micro here)\r\nallows an attacker to launch an arbitrary process. In this case, pic.jpg executes a powershell command in a hidden\r\nwindow. Parameters to the powershell command are seen below, where a base64 encoded gzip archive is first\r\ndecompressed; this archive contains a script, located in variable $s that is then executed.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 7 of 13\n\nThe decompressed script contains shellcode (also base64 encoded) that is place in new memory (VirtualAlloc) and\r\nexecuted as a thread.\r\nOnce the shellcode executes, it retrieves image.png from a remote server, names it desktop.ini.exe, and executes it.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 8 of 13\n\nIn the event that the TS WebProxy exploit does not work, pic.jpg will also trying downloading image.png from a\r\nremote server, either directly using UrlDownloadToFile or through a Visual Basic script that’s dropped in a Temp\r\ndirectory.\r\nImage.png (Protected Chinad)\r\nSummary\r\nDelivery of this Chinad malware executable has been observed via FTP and after successful exploitation of CVE-2014-6332 in Microsoft Internet Explorer.\r\nImage.png is another variant of the Chinad bot and is nearly identical to notepad.exe in terms of functionality.\r\nHowever, it has a few extra functions and has much stronger anti-analysis capabilities.\r\nTechnical Analysis Unlike notepad.exe, attackers have chosen to protect image.png by using the powerful\r\nThemida protector, a commercial product from Oreans.\r\nThemida has a lengthy reputation of being a strong protector for executable files. The protector has an extensive\r\nfeature set, to include capabilities such as VM and forensic tool detection.\r\nIn addition, Themida also offers different (mutable) protection code which changes drastically as different features\r\nare enabled, making it even harder to automate the process of unpacking.\r\nInterestingly, it seems that it was an odd decision for the attackers to have obfuscated image.png and not\r\nnotepad.exe, as notepad.exe is much easier to analyze and is essentially the same bot.\r\nOne major difference is noted in image.png, where a special Dll is dropped to disk in the user’s Temp directory\r\nbefore retrieving commands from the C\u0026C server.\r\nThis Dll, known by its real name as “Module_UacBypass.dll” (the file name on disk is a temporary file name) will\r\nbe used to establish persistence and bypass User Account Control (UAC) for non-Windows XP systems. More\r\ndetails on this Dll are noted in the section below.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 9 of 13\n\nBesides this, no other major differences have been observed in image.png. It still retains all of the functionality of\r\nits related binary, notepad.exe. As future versions of the bot are developed, it seems likely it will be delivered in a\r\nprotected form, perhaps still using Themida.\r\n5003.tmp (“Module_UacBypass.dll”)\r\nSummary\r\nModule_UacBypass.dll (“Uac_bypass.dll”) is a module seen used by the protected version of the Chinad bot\r\n(image.png). It’s main purpose is maintaining persistence for Non-Admin users who are running Windows Vista\r\nand later. Persistence is done using non-traditional methods, which involve hijacking a Windows SQL server\r\nDll to bypass UAC and maintain a footprint on the victim’s computer.\r\nTechnical Analysis Uac_Bypass.dll has two exported functions, Func1 and Func2, along with some interesting\r\nstring artifacts, to include the real name of the Dll, “Module_UacBypass.dll”.\r\nIt is interesting that the authors chose to prefix the name seen with “Module,” suggesting that more modules might\r\nbe planned for the Chinad bot, or perhaps already in circulation.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 10 of 13\n\nUac_Bypass.dll is primarily used to establish persistance of the Chinad bot for Non-Admin users (for Admin\r\nusers, persistence is achieved using the schtasks.exe method seen under the analysis of notepad.exe). The module\r\nalso bypasses UAC, a security feature added in Windows Vista to help prevent execution of malicious programs.\r\nSince UAC is not available on Windows XP, this Dll will not execute on systems running the OS.\r\nFirst, Uac_bypass.dll will make a copy of itself in the temp directory called NTWDBLIB.dll, and then makes that\r\nfile into a cabinet archive. NTWDBLIB.dll is the name of a library used for Microsoft SQL server.\r\nThe purpose of this is to use this cabinet along with wusa.exe to update the NTWDBLIB.dll (if it exists) with a\r\ncopy of Uac_Bypass.dll, thereby hijacking the Dll. Wusa.exe is an abbreviated name for Windows Update\r\nStandalone Installer, which allows Windows updates to be applied using a supplied cabinet.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 11 of 13\n\nUac_Bypass.dll also writes a special registry key to:\r\nHKCUSoftwareMicrosoftWindows NTCurrentVersionUacCompat\r\nThis key value contains the path to the Chinad bot.\r\nThen, Uac_Bypass.dll executes cliconfig.exe, which loads the new, malicious NTWDBLIB.dll into memory and\r\npoints to the DllMain function.\r\nInside of DllMain, Uac_Bypass.dll check to see if the string “cliconfig.dll” is in the calling process name. If it is,\r\nit will retrieve the path of the Chinad bot in the registry key above and run it with CreateProcess.\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 12 of 13\n\nThis bypass method has been talked about before here, and has been seen in malware as early as 2013.\r\nConclusion The Chinad bot appears to have been designed mainly for the purpose of carrying out DDoS attacks\r\nusing mostly Chinese victim computers.\r\nThus far, infected webpages that deliver Chinad have only been spotted on Chinese domains (hence the bot name),\r\nwhile the Exploit kit itself that delivers the malware has been spotted on servers in both Malaysia and Singapore.\r\nOur research teams have not yet seen Chinad outside of Asia, and other clues, such as testing internet connectivity\r\nusing both baidu.com and qq.com, suggest the bot has a primary focus in the Asian world.\r\nWhile it doesn’t offer anything revolutionary, we believe the Chinad bot is still in it’s infancy, as some mistakes\r\nappear to have been made by the developers. This includes not applying a packer or protector to notepad.exe, a\r\nvariant of the Chinad bot, as well as leaving many relevant strings, such as the name of “Module_UacBypass.dll”\r\nin plain sight.\r\nThese things lead us to believe that Chinad was not the work of a seasoned professional, and not likely the work\r\nof a group with large resources, such as a nation-state. It will be interesting to see if Chinad offers more\r\nimprovements with time, along with added functionality.\r\nContributing analysts: @joshcannell @hasherezade\r\nSource: https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nhttps://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2"
	],
	"report_names": [
		"unusual-exploit-kit-targets-chinese-users-part-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775441590,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11f26728fd973ab248ad9d75a6ee0e7f7ed2dcc4.pdf",
		"text": "https://archive.orkl.eu/11f26728fd973ab248ad9d75a6ee0e7f7ed2dcc4.txt",
		"img": "https://archive.orkl.eu/11f26728fd973ab248ad9d75a6ee0e7f7ed2dcc4.jpg"
	}
}