Chopstick Malware Threat Report: What is Chopstick and How Does it Work?

The Chopstick malware family is a modular backdoor used by APT28. It has been used since at least 2012, and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants, and is capable of performing remote command execution, file transmission, and keylogging.

Chopstick Malware Capabilities

Chopstick may use various methods to avoid detection and execute commands on a system. These include using domain generation algorithms to dynamically identify a destination domain for command and control traffic, abusing Unix shell commands and scripts for execution, and communicating using application layer protocols associated with electronic mail delivery. Chopstick may also move onto systems by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. Finally, Chopstick may log user keystrokes to intercept credentials as the user types them.

The Chopstick malware may be used to enumerate files and directories, or to search for specific information within a file system. It may also modify XDG autostart entries to execute programs or commands during system boot. Chopstick may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Additionally, Chopstick may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.The Chopstick malware may employ various means to detect and avoid virtualization and analysis environments, including changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment or sandbox. 

Chopstick may interact with the Windows Registry to gather information about the system, configuration, and installed software to use the information from process discovery during automated discovery to shape follow-on behaviors, including whether or not

• Chopstick may abuse command and script interpreters to execute commands, scripts, or binaries. It may also make use of Domain Generation Algorithms to dynamically identify a destination domain for command and control traffic. This makes it very hard for defenders to block, track, or take over the command and control channel.
• Chopstick is malware that uses email delivery protocols to avoid detection and network filtering. It also uses fallback or alternate communication channels if the primary channel is compromised or inaccessible. Additionally, Chopstick can move onto systems via removable media, taking advantage of Autorun features. Finally, Chopstick may modify executable files stored on removable media or rename malware to look like legitimate files in order to trick users into executing it on a separate system.
• The Chopstick malware may log user keystrokes to intercept credentials, attempt to get detailed information about the operating system and hardware, and make an executable or file difficult to discover or analyze.
• Chopstick may perform a number of actions in order to gain information or access on a system, including enumerating files and directories, searching for specific information within a file system, or modifying XDG autostart entries. Data may also be encoded using a standard data encoding system in order to make it more difficult to detect.
• The Chopstick malware uses removable media to transfer commands from one system to another, potentially across disconnected networks. Both systems must be already compromised for this to work. Commands and files are encrypted using a symmetric encryption algorithm, and communication takes place using application layer protocols associated with web traffic, in order to avoid detection.
• The Chopstick malware may copy tools or files from an external system into a compromised environment in order to evade defenses and observation. Once present, the malware may transfer or spread these tools between victim devices within the environment. The malware may also delete any files left behind by its actions in order to minimize its footprint.
• Chopstick may attempt to gather information about security software and configurations that are installed on a system in order to determine how to best avoid detection. They may also take screenshots of the desktop to gather additional information.
• The malware known as Chopstick may employ asymmetric encryption to conceal command and control traffic, and may also create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Additionally, Chopstick may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Ways to Mitigate Chopstick Malware Attacks Capabilities

• Chopstick can be mitigated in a few different ways. One way is to capture command-line and scripting activities through proper logging of process execution with command-line arguments. Another way to detect dynamically generated domains is to check for recently registered names or for rarely visited domains. Finally, Unix shell usage may be restricted for normal users if it is not commonly used on a system.
• Chopstick can be mitigated by analyzing network data for uncommon data flows and by monitoring file access on removable media. By detecting processes that execute from removable media after it is mounted or when initiated by a user, it is possible to prevent the malware from causing further damage.
• The Chopstick malware can be mitigated by monitoring the Registry and file system for changes, driver installs, and keylogging API calls. System and network discovery techniques can also be used to detect malicious activity.
• Chopstick can be mitigated by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Additionally, analysts should look for suspicious process behavior and communications that do not follow the expected protocol behavior.
• Chopstick can be mitigated in several ways, including monitoring file access on removable media, detecting processes that execute when removable media is mounted, and analyzing network data for unusual data flows. Symmetric encryption may also be used to decode network traffic and detect malware communications signatures.
• Chopstick can be mitigated by collecting file hashes and monitoring for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. 
• Chopstick can be mitigated by virtualization, sandbox, user activity, and related discovery techniques. These techniques may be difficult to detect, depending on the implementation and monitoring required. However, monitoring for suspicious processes and image files may aid in detection.
• Chopstick can be mitigated in a few ways, including SSL/TLS inspection and auditing file creation and modification events. System and network discovery techniques can also help to identify potential Chopstick activity.
• Chopstick can be mitigated by analyzing network data for unusual activity, monitoring the Windows Registry for changes, and keeping track of system and network discovery techniques. By doing these things, it will be possible to detect and prevent the malware from causing harm.

About Apt28 Threat Group

Apt28, a Russian threat group, has been active since 2004 and has been linked to various cyber operations, including against the Hillary Clinton campaign in 2016.