ZxxZ

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[1]

ID: S1013
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 02 June 2022
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

ZxxZ can collect data from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

ZxxZ has used a XOR key to decrypt strings.[1]

Enterprise T1105 Ingress Tool Transfer

ZxxZ can download and execute additional files.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

ZxxZ has been disguised as a Windows security update service.[1]

Enterprise T1106 Native API

ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

ZxxZ has been encoded to avoid detection from static analysis tools.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.[1]

Enterprise T1057 Process Discovery

ZxxZ has created a snapshot of running processes using CreateToolhelp32Snapshot.[1]

Enterprise T1012 Query Registry

ZxxZ can search the registry of a compromised host.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ZxxZ has used scheduled tasks for persistence and execution.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.[1]

Enterprise T1082 System Information Discovery

ZxxZ has collected the host name and operating system product name from a compromised machine.[1]

Enterprise T1033 System Owner/User Discovery

ZxxZ can collect the username from a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

ZxxZ has relied on victims to open a malicious attachment delivered via email.[1]

Groups That Use This Software

ID Name References
G1002 BITTER

[1]

References