ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [1] [2]

ID: S0230
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1009Binary PaddingZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[2]
EnterpriseT1088Bypass User Account ControlMany ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[2]
EnterpriseT1001Data ObfuscationZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[1][2]
EnterpriseT1140Deobfuscate/Decode Files or InformationZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[2]
EnterpriseT1073DLL Side-LoadingZeroT has used DLL side-loading to load malicious payloads.[1][2]
EnterpriseT1050New ServiceZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.[2]
EnterpriseT1027Obfuscated Files or InformationZeroT has encrypted its payload with RC4.[2]
EnterpriseT1105Remote File CopyZeroT can download additional payloads onto the victim.[2]
EnterpriseT1045Software PackingSome ZeroT DLL files have been packed with UPX.[2]
EnterpriseT1071Standard Application Layer ProtocolZeroT has used HTTP for C2.[1][2]
EnterpriseT1032Standard Cryptographic ProtocolZeroT has used RC4 to encrypt C2 traffic.[1][2]
EnterpriseT1082System Information DiscoveryZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[2]
EnterpriseT1016System Network Configuration DiscoveryZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[2]


Groups that use this software: