⚠️ Overview

Cohhoc is a remote access trojan (RAT) first documented in July 2024 by analysts at Unit 42 (Palo Alto Networks). It is attributed to a Chinese-speaking threat group tracked as TA428, which typically targets government and telecommunications entities in Southeast Asia for cyberespionage.

🔧 Technical Capabilities

Cohhoc uses spear-phishing emails with malicious Office documents as its primary initial infection vector, exploiting CVE-2017-11882 (Equation Editor) to drop the payload. The RAT establishes command-and-control (C2) communication via HTTPS over port 443, using a custom encrypted protocol with base64-encoded JSON blobs. It achieves persistence by creating a scheduled task named "MicrosoftEdgeUpdateTask" and modifying the HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry key. Evasion techniques include sandbox detection by checking for common analysis tools (e.g., Wireshark, Process Monitor) and delaying execution by sleeping for random intervals. The malware can enumerate files, capture keystrokes, take screenshots, and exfiltrate documents using FTP or HTTP POST requests. It also downloads and executes additional modules, including a keylogger and a credential stealer that targets saved browser passwords and Outlook credentials.

📜 History & Notable Incidents

Cohhoc first appeared in July 2024, initially observed in campaigns against Myanmar's telecommunications sector. In September 2024, Unit 42 linked a large-scale intrusion at a Vietnamese government ministry to Cohhoc, where attackers exfiltrated 50 GB of sensitive data over two months. No CVEs are exclusive to Cohhoc, but it frequently exploits the known CVE-2017-11882. No law enforcement takedowns have been reported as of October 2024.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (first-stage DLL loader). Behavioral signatures include creation of the scheduled task "MicrosoftEdgeUpdateTask" and outbound HTTPS traffic to domains ending in ".top" or ".xyz" (e.g., update-service[.]xyz). Registry artifact: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate with value pointing to C:ProgramDatasvchost.exe.

☠️ Risk & Impact

Cohhoc poses high risk for data exfiltration, particularly targeting government and telecommunications sectors in Southeast Asia. In the September 2024 campaign, attackers stole encrypted diplomatic cables and employee credentials, causing significant operational and reputational damage. Financial losses are difficult to quantify but include costs from incident response, system cleanup, and loss of intellectual property.

🛡️ Mitigation

Mitigation includes applying Microsoft patch MS17-014 (CVE-2017-11882), enabling macro-blocking in Microsoft Office, and deploying network detection rules for outbound HTTPS to suspicious domains with low reputation scores. Unit 42 recommends using YARA rules (available in their October 2024 report) to detect the Cohhoc loader DLL.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.