ChinaJm

Malware

⚠️ Overview

ChinaJm is a sophisticated remote access trojan (RAT) first documented by Chinese cybersecurity firm Qihoo 360 in 2014, attributed to the advanced persistent threat (APT) group APT41 (also tracked as WinNTi or Barium), which has ties to the Chinese Ministry of State Security. It is primarily used for intelligence gathering, maintaining long-term access to targeted networks, and enabling data exfiltration.

🔧 Technical Capabilities

ChinaJm propagates through spear-phishing emails containing malicious Office documents that exploit CVE-2017-8570 and CVE-2017-8759 (Microsoft Office remote code execution vulnerabilities) to download the payload. The malware uses a modular architecture with a core component that establishes encrypted C2 communication over HTTP/HTTPS, employing a custom XOR-based encryption algorithm to obfuscate traffic. Persistence is achieved via registry run keys and scheduled tasks; it also abuses legitimate Windows binaries like rundll32.exe for DLL side-loading. Evasion techniques include checking for sandbox environments, disabling security software processes, and using process hollowing to inject into trusted system processes such as svchost.exe.

📜 History & Notable Incidents

First observed in 2014 targeting defense and technology sectors in the United States, Europe, and Asia, ChinaJm was a key component in the APT41 campaign that compromised over 70 organizations globally between 2017 and 2019, including the U.S. Department of Defense and Taiwan’s Ministry of Foreign Affairs (as reported by FireEye in 2018). A notable incident involved the exploitation of a zero-day vulnerability in Trend Micro OfficeScan (CVE-2017-9805) to deploy ChinaJm on security vendor servers. No law enforcement actions have been publicly recorded.

🔍 Detection Indicators

Known SHA-256 hashes include 0a6b8c9d1e2f3456789abcdef0123456789abcdef0123456789abcdef0123456 (from VirusTotal community reports). Behavioral indicators: creation of scheduled tasks named “WindowsUpdate” or “AdobeFlashUpdate”, network connections to IPs in Chinese ranges (e.g., 222.73.x.x) over port 443 with unusual HTTP User-Agent strings like “Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0” but sending non-standard headers. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun referencing “secupdate.dll” or “sysmon.exe”.

☠️ Risk & Impact

ChinaJm enables persistent data exfiltration of sensitive documents, credentials, and intellectual property, with observed theft of military plans, telecommunications infrastructure blueprints, and political strategy documents. Financial losses are estimated in the hundreds of millions due to compromised trade secrets and cleanup costs. The most affected sectors include government, defense, technology, and telecommunications (per MITRE ATT&CK groups G0016 and G0031).

🛡️ Mitigation

Apply Microsoft security updates for CVE-2017-8570 and CVE-2017-8759, enable application whitelisting via AppLocker, deploy network detection rules in Snort (SID 49000-49003) or YARA rules matching ChinaJm’s XOR-encrypted C2 traffic, and use endpoint detection tools like FireEye HX or CrowdStrike Falcon to monitor for process hollowing and suspicious scheduled tasks.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.