1. Home
  2. Software
  3. ZxxZ

ZxxZ

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[1]

ID: S1013
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 02 June 2022
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

ZxxZ can collect data from a compromised host.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

ZxxZ has been disguised as a Windows security update service.[1]
Enterprise T1140 反混淆/解码文件或信息

ZxxZ has used a XOR key to decrypt strings.[1]
Enterprise T1106 本机API

ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.[1]
Enterprise T1012 查询注册表

ZxxZ can search the registry of a compromised host.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

ZxxZ has been encoded to avoid detection from static analysis tools.[1]
Enterprise T1204 .002 用户执行: Malicious File

ZxxZ has relied on victims to open a malicious attachment delivered via email.[1]
Enterprise T1082 系统信息发现

ZxxZ has collected the host name and operating system product name from a compromised machine.[1]

Enterprise T1033 系统所有者/用户发现

ZxxZ can collect the username from a compromised host.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.[1]
Enterprise T1105 输入工具传输

ZxxZ can download and execute additional files.[1]
Enterprise T1057 进程发现

ZxxZ has created a snapshot of running processes using CreateToolhelp32Snapshot.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

ZxxZ has used scheduled tasks for persistence and execution.[1]

Groups That Use This Software

ID Name References
G1002 BITTER

[1]

References

  1. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.