A cyber group attributed to Chinese APT activity has used the downloader ZeroT  since February 2016, as reported by Proofpoint in 2017.

The first wave of the 2017 campaigns started in February. Targets were entities related to military and aerospace interests in Russia and Belarus. However, in April, the campaign switched targets, including analysts at top Russian financial firms and firms in neighboring countries.

The attacks have two primary vectors. First, a spear phishing campaign that, upon success, installed ZeroT into the targeted system. Later campaigns used spear phishing emails including a Microsoft Word attachment. This attachment exploited the CVE-2017-0199 vulnerability.

CVE-2017-0199 allows a bad actor to download and execute a VisualBasic Script, containing PowerShell commands. These commands fire when the user opens a document containing the embedded exploit. PowerShell then downloads an HTML Application File (HTA). The HTA file then executes a VB Script which downloads and runs a script to then download ZeroT.

In both scenarios, the end goal is not infection with ZeroT, but rather with PlugX Remote Access Trojan (RAT). Upon infestation, PlugX grants network access to cyber criminals. These criminals can use the software, along with a bevy of modules, to scan for banking information. The modules, detailed by LastLine, allow PlugX to scan for sensitive file contents, take screenshots, look for shared network resources, connect with SQL databases, and log keystrokes on infected machines. This data is then exfiltrated to a C&C controlled by the cyber group. 

Enabling TSCritical targets in policies for ThreatSTOP DNS and IP Defense Services protect against ZeroT and PlugX. If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.