ZeroT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.[2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
ZeroT has used DLL side-loading to load malicious payloads.[1][2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1001 | .002 | 数据混淆: Steganography |
ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[1][2] |
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[2] |
| .002 | 混淆文件或信息: Software Packing | |||
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[2] |
| Enterprise | T1082 | 系统信息发现 |
ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[2] |
|
| Enterprise | T1105 | 输入工具传输 | ||