S0230 ZeroT
ZeroT is a Trojan used by TA459, often in conjunction with PlugX. 1 2
| Item | Value |
|---|---|
| ID | S0230 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 18 April 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ZeroT has used HTTP for C2.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.2 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | ZeroT has used RC4 to encrypt C2 traffic.12 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | ZeroT has used DLL side-loading to load malicious payloads.12 |
| enterprise | T1105 | Ingress Tool Transfer | ZeroT can download additional payloads onto the victim.2 |
| enterprise | T1027 | Obfuscated Files or Information | ZeroT has encrypted its payload with RC4.2 |
| enterprise | T1027.001 | Binary Padding | ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.2 |
| enterprise | T1027.002 | Software Packing | Some ZeroT DLL files have been packed with UPX.2 |
| enterprise | T1082 | System Information Discovery | ZeroT gathers the victim’s computer name, Windows version, and system language, and then sends it to its C2 server.2 |
| enterprise | T1016 | System Network Configuration Discovery | ZeroT gathers the victim’s IP address and domain information, and then sends it to its C2 server.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0062 | TA459 | 1 |