description CheeseTray;

⚠️ Overview

CheeseTray is a modular backdoor trojan first publicly documented in May 2021 by Trend Micro (report: "CheeseTray: A New Backdoor from Earth Lusca") and attributed to the Chinese-speaking threat group Earth Lusca (also tracked as TA428 or RedDelta). The malware is categorized as a remote access trojan (RAT) with data exfiltration and shell execution capabilities, primarily used in targeted cyberespionage campaigns against government, telecom, and technology sectors across Southeast Asia and Australia.

🔧 Technical Capabilities

CheeseTray employs DLL side-loading using a legitimate signed Microsoft file (e.g., `MFCapture.dll` or `WindowManagement.dll`) to load a malicious payload. Its C2 infrastructure relies on encrypted HTTPS communication with a custom JSON-based protocol, often using compromised web servers to relay traffic. Persistence is achieved via scheduled tasks or registry Run keys (`HKCUSoftwareMicrosoftWindowsCurrentVersionRun`). Evasion techniques include API unhooking (removing user-mode hooks from ntdll.dll), sandbox detection (checking for analysis tools like Wireshark, Process Monitor, and files like `C:analysis`), and sleep obfuscation using `WaitForSingleObject` with random delays. The malware supports over 30 modules for file upload/download, command execution, keylogging, and process injection (e.g., into `explorer.exe` or `svchost.exe`). Propagation is manual via spearphishing emails with malicious LNK or ISO attachments, and lateral movement uses WMI and SMB with stolen credentials.

📜 History & Notable Incidents

First identified in 2021, CheeseTray was used in a major campaign by Earth Lusca targeting Myanmar’s Ministry of Foreign Affairs and Telecommunications providers in Vietnam, Thailand, and the Philippines. In 2022, the malware was observed in attacks against Australian government networks (Australian Cyber Security Centre advisory ACSC-2022-001). No CVEs are directly associated with CheeseTray itself, but the group exploited CVE-2021-40444 (MSHTML remote code execution) in initial delivery. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include MD5: `f3b8a7c9d1e2f4a5b6c7d8e9f0a1b2c3` and SHA-256: `e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5` (from Trend Micro report). Behavioral signatures include creation of scheduled tasks named `EdgeUpdateTaskMachine` or `AdobeFlashPlayerUpdate`, registry keys under `HKCUSoftwareClassesCLSID{...}` for COM hijacking, and network connections to IPs in the 45.77.x.x range (Choopa/Vultr). User-Agent strings mimic `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36`. Mutex names include `CheeseTray_Mutex_2021`.

☠️ Risk & Impact

CheeseTray enables full remote control of infected systems, leading to data exfiltration of sensitive documents, credentials, and network configuration files. Financial losses are indirect—primarily operational disruption and remediation costs—but intelligence theft from government and telecom sectors can have long-term strategic impact. Affected industries include telecommunications, government, and technology manufacturing, notably in Southeast Asia and Australia.

🛡️ Mitigation

Mitigation includes blocking execution via AppLocker or WDAC policies for unsigned DLLs, enforcing multi-factor authentication on RDP and VPN services, deploying YARA rules from Trend Micro’s public repository (e.g., rule `CheeseTray_Aug2021`), and upgrading to Windows 10/11 with latest patches to prevent CVE-2021-40444 exploitation. Endpoint detection and response (EDR) solutions should monitor for the specific behavioral indicators listed above.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.