S0412 ZxShell
ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.21
| Item | Value |
|---|---|
| ID | S0412 |
| Associated Names | Sensocode |
| Type | MALWARE |
| Version | 1.2 |
| Created | 24 September 2019 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Sensocode | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | ZxShell has a command called RunAs, which creates a new process as another user or process context.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ZxShell has used HTTP for C2 connections.1 |
| enterprise | T1071.002 | File Transfer Protocols | ZxShell has used FTP for C2 connections.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ZxShell can launch a reverse command shell.213 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | ZxShell has a feature to create local user accounts.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | ZxShell can create a new service using the service parser function ProcessScCommand.1 |
| enterprise | T1005 | Data from Local System | ZxShell can transfer files from a compromised host.1 |
| enterprise | T1499 | Endpoint Denial of Service | ZxShell has a feature to perform SYN flood attack on a host.21 |
| enterprise | T1190 | Exploit Public-Facing Application | ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.1 |
| enterprise | T1083 | File and Directory Discovery | ZxShell has a command to open a file manager and explorer on the system.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | ZxShell can kill AV products’ processes.1 |
| enterprise | T1562.004 | Disable or Modify System Firewall | ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | ZxShell has a command to clear system event logs.1 |
| enterprise | T1070.004 | File Deletion | ZxShell can delete files from the system.21 |
| enterprise | T1105 | Ingress Tool Transfer | ZxShell has a command to transfer files from a remote host.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | ZxShell has a feature to capture a remote computer’s keystrokes using a keylogger.21 |
| enterprise | T1056.004 | Credential API Hooking | ZxShell hooks several API functions to spawn system threads.1 |
| enterprise | T1112 | Modify Registry | ZxShell can create Registry entries to enable services to run.1 |
| enterprise | T1106 | Native API | ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler |
| enterprise | T1046 | Network Service Discovery | ZxShell can launch port scans.21 |
| enterprise | T1571 | Non-Standard Port | ZxShell can use ports 1985 and 1986 in HTTP/S communication.1 |
| enterprise | T1057 | Process Discovery | ZxShell has a command, ps, to obtain a listing of processes on the system.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | ZxShell is injected into a shared SVCHOST process.1 |
| enterprise | T1090 | Proxy | ZxShell can set up an HTTP or SOCKS proxy.21 |
| enterprise | T1012 | Query Registry | ZxShell can query the netsvc group value data located in the svchost group Registry key.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | ZxShell has remote desktop functionality.1 |
| enterprise | T1021.005 | VNC | ZxShell supports functionality for VNC sessions.1 |
| enterprise | T1113 | Screen Capture | ZxShell can capture screenshots.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | ZxShell has used rundll32.exe to execute other DLLs and named pipes.1 |
| enterprise | T1082 | System Information Discovery | ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.1 |
| enterprise | T1033 | System Owner/User Discovery | ZxShell can collect the owner and organization information from the target workstation.1 |
| enterprise | T1007 | System Service Discovery | ZxShell can check the services on the system.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | ZxShell can create a new service for execution.1 |
| enterprise | T1125 | Video Capture | ZxShell has a command to perform video device spying.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 2 |
| G0001 | Axiom | 14 |
| G0027 | Threat Group-3390 | 3 |
References
-
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩↩↩↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019. ↩↩
-
Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. ↩