ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [1] [2]

ID: S0230
Platforms: Windows
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ZeroT has used HTTP for C2.[1][2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.[2]

Enterprise T1001 .002 Data Obfuscation: Steganography

ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

ZeroT has used RC4 to encrypt C2 traffic.[1][2]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

ZeroT has used DLL side-loading to load malicious payloads.[1][2]

Enterprise T1105 Ingress Tool Transfer

ZeroT can download additional payloads onto the victim.[2]

Enterprise T1027 Obfuscated Files or Information

ZeroT has encrypted its payload with RC4.[2]

.001 Binary Padding

ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[2]

.002 Software Packing

Some ZeroT DLL files have been packed with UPX.[2]

Enterprise T1082 System Information Discovery

ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[2]

Enterprise T1016 System Network Configuration Discovery

ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[2]

Groups That Use This Software

ID Name References
G0062 TA459