![]() RDP port number – Zegost collects this information and then sends it out to the C2 server.INTERNET_CONNECTION_MODEM, INTERNET_CONNECTION_LAN, INTERNET_CONNECTION_PROXY, INTERNET_CONNECTION_MODEM_BUSY Connection State – Zegost checks to see which of the following connections are running and then sends the list out to the C2 server:.NOTE: The process 'mssecess.exe' may actually be a typo on the part of the malware developers, since Microsoft Security Essentials is spelled as 'msseces.exe' instead. It then checks to see if any of the following processes are running and sends the list out to the C2 server:ģ60tray.exe, 360sd.exe, avp.exe, KvMonXP.exe, RavMonD.exe, Mcshield.exe, egui.exe, NOD32, kxetray.exe, avcenter.exe, ashDisp.exe, rtvscan.exe, ksafe.exe, QQPCRTP.exe, K7TSecurity.exe, QQ.exe, QQ, knsdtray.exe, TMBMSRV.exe, Miner.exe, AYAgent.exe, patray.exe, V3Svc.exe, QUHLPSVC.EXE, QUICK HEAL, mssecess.exe, S.exe, 1433.exe, DUB.exe, ServUDaemon.exe, BaiduSdSvc.exe, vmtoolsd.exe, usysdiag.exe.It starts by identifying the targeted machine’s OS version number and the number and speed of processors.Here is a list of its data collection processes and functions. The main purpose of Zegost is to steal and exfiltrate information. The email roughly translates to "Please download the web video plugin to watch." In this latest attack, Zegost begins as a simple email with an attachment. If a user hovers their mouse over those words it triggers an infection chain that delivers the Zegost malware payload through PowerShell. Another example of the craftiness of the attackers behind Zegost is a novel attack technique used against Microsoft PowerPoint, where once an infected PowerPoint file is opened, a “Loading… Please wait” hypertext message appears. One example of this craftiness is found in their ability to leverage multiple exploits, most notably the leak of documented exploits used by The Hacking Team, an Italian for-profit offensive security company that provided tools for use by law enforcement and government agencies in 2015. In addition, the threat actors behind Zegost have been known to be especially persistent and crafty, utilizing an arsenal of exploits to ensure they establish and maintain a connection to identified victims. ![]() ![]() Since that time there have been many iterations of Zegost, and the numerous updates to its functionality have been well documented. Zegost has been around since approximately 2011. While we do not have any insight as to why the attackers behind Zegost decided to focus their campaign on a Chinese government agency, based on past behavior, we can at the very least assume that it was to gather intelligence of some kind to support the information-stealing nature of the malware. While this latest campaign is not necessarily interesting by any means, or new, the targeted victim is because it is a governmental entity in China that provides statistical collection efforts centering around the nation’s economy, population, and various other metrics that are collected for record keeping.Īnd interestingly, Zegost has been historically attributed to Chinese cybercriminals, a fact that has been documented in various worldwide global campaigns. The FortiGuard SE Group has come across a recent spearphishing email campaign containing the Zegost (also known as Zusy/Kris) info stealer malware. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper. Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group named Yet Another Panda as part of our role in the Cyber Threat Alliance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |