ZxxZ Trojan

The ZxxZ Trojan is a previously unknown malware threat, that is being deployed as part of the harmful operations attributed to the Bitter ATP (Advanced Persistent Threat) group. Details about the threat itself, as well as the attack campaign were revealed to the public in a report by the researchers at Cisco Talos. The primary target of the ZxxZ Trojan is the government of Bangladesh and the likely goal is cyberespionage and data theft.

The threat is delivered as a 32-bit Windows executable file on the breached devices. It is capable of fetching and then executing additional corrupted modules. These components are dropped on the infected machines as files with generic names similar to 'ntfsc.exe,' 'Update.exe,' etc. The modules are stored in the local application data folder and executed as a Windows security update.

The ZxxZ Trojan is equipped with several anti-detection features, including obfuscated strings, the ability to search for and kill the processes of Windows Defender and other anti-malware solutions. Afterward, the threat will activate an info-collecting function. The acquired data will be stored in a memory buffer, before being exfiltrated to the Command-and-Control (C2) servers of the operation. The response from the C2 server will be a portable executable dropped into the '%LOCALAPPDATA%\Debug\' location. In case of an error during the delivery of this executable, ZxxZ will retry the process exactly 225 times before stopping and exiting.

It should be noted that the researchers found two infection chains, both versions begin with a spear-phishing email. These lure messages are hidden behind spoofed email addresses to pass as legitimate correspondence coming from Pakistani government organizations. However, the weaponized file attachments can be different. In one case, the lure emails carried a .RTF file that exploits the CVE-2017-11882 vulnerability to compromise machines with vulnerable Microsoft Office versions. The other variation of the attack chain utilizes a .XLSX document instead. This time, the attackers take advantage of the CVE-2018-0798 and CVE-2018-0802 vulnerabilities to trigger remote code execution in outdated Microsoft Office instances.