Skip to content

S1013 ZxxZ

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.1

Item Value
ID S1013
Version 1.0
Created 02 June 2022
Last Modified 02 June 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System ZxxZ can collect data from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information ZxxZ has used a XOR key to decrypt strings.1
enterprise T1105 Ingress Tool Transfer ZxxZ can download and execute additional files.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service ZxxZ has been disguised as a Windows security update service.1
enterprise T1106 Native API ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.1
enterprise T1027 Obfuscated Files or Information ZxxZ has been encoded to avoid detection from static analysis tools.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.1
enterprise T1057 Process Discovery ZxxZ has created a snapshot of running processes using CreateToolhelp32Snapshot.1
enterprise T1012 Query Registry ZxxZ can search the registry of a compromised host.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task ZxxZ has used scheduled tasks for persistence and execution.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.1
enterprise T1082 System Information Discovery ZxxZ has collected the host name and operating system product name from a compromised machine.1
enterprise T1033 System Owner/User Discovery ZxxZ can collect the username from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File ZxxZ has relied on victims to open a malicious attachment delivered via email.1

Groups That Use This Software

ID Name References
G1002 BITTER 1