Skip to content

S0230 ZeroT

ZeroT is a Trojan used by TA459, often in conjunction with PlugX. 1 2

Item Value
ID S0230
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ZeroT has used HTTP for C2.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.2
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.12
enterprise T1140 Deobfuscate/Decode Files or Information ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography ZeroT has used RC4 to encrypt C2 traffic.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading ZeroT has used DLL side-loading to load malicious payloads.12
enterprise T1105 Ingress Tool Transfer ZeroT can download additional payloads onto the victim.2
enterprise T1027 Obfuscated Files or Information ZeroT has encrypted its payload with RC4.2
enterprise T1027.001 Binary Padding ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.2
enterprise T1027.002 Software Packing Some ZeroT DLL files have been packed with UPX.2
enterprise T1082 System Information Discovery ZeroT gathers the victim’s computer name, Windows version, and system language, and then sends it to its C2 server.2
enterprise T1016 System Network Configuration Discovery ZeroT gathers the victim’s IP address and domain information, and then sends it to its C2 server.2

Groups That Use This Software

ID Name References
G0062 TA459 1


Back to top