ZeroT

ZeroT is a malicious software (malware) that was first discovered in 2016, designed to exploit and damage computer systems. It primarily infiltrated victims' machines through Trojan-infected Word documents attached to emails. One notable instance involved the CHM file 20160621.chm, which dropped the first known sample of ZeroT. Over the course of the second half of 2016, numerous RAR archives and RAR SFX (self-extracting executables) containing ZeroT were identified. These often contained a file named Go.exe, capable of performing Windows UAC bypass. In June 2016, investigators observed the attackers using a new type of dropper to deliver ZeroT. The malware's initial beacon to index.php was changed to index.txt, but it continued to expect an RC4-encrypted response using a static key. The encrypted ZeroT payload, named Mctl.mui, was decoded in memory, revealing a tampered PE header and slightly modified code compared to previously analyzed payloads. This payload was typically delivered via a PowerShell script that downloaded and ran the ZeroT payload cgi.exe. Interestingly, a recent ZeroT sample downloaded a much smaller BMP payload. Analysis revealed that starting at offset 10 of the assembled bitmap, ZeroT extracts a 32-bit value from 32-bytes using 1-bit LSB to indicate the size of the embedded stage 2 payload. This final piece of ZeroT’s C&C protocol retrieved any stage-2 payloads. The executable used for this process was obfuscated using the same technique reused in the sideload DLL and the ZeroT payload. Another notable ZeroT sample contained the executable 0228.exe and a decoy document 0228.doc in the RAR SFX archive.