Skip to content

S0027 Zeroaccess

Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. 1

Item Value
ID S0027
Type MALWARE
Version 1.0
Created 31 May 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.2
enterprise T1014 Rootkit Zeroaccess is a kernel-mode rootkit.1

References

  1. Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016. 

  2. Ciubotariu, M. (2014, January 23). Trojan.Zeroaccess.C Hidden in NTFS EA. Retrieved December 2, 2014.