The malware developed to steal the targeted victim’s information that resides in the compromised network with the ability to leverage multiple exploits. Researchers believe that the malware only focuses on the Chinese government network, but it was unclear why threat actors targeting only government agencies. Most of the exploits are often used by Italian offensive security company that was provided hacking tools to law enforcement and government agencies.

Zegost uncovered back to 2011 since then attackers updated with various new functionalities and added new persistence capabilities, exploits to maintain the access. Attackers behind the Zegost malware using weaponized Microsoft powerpoint document and infect the victims once they open the malicious document.

Researchers also observed that one of these updates includes the usage of COM programming. As with many of the other uncommon strategies it uses, COM usage in malware is also not typically seen.

Zegost Malware Infection Process

Initially, malicious targeting victims via spear-phishing emails with an attachment of malicious file and trick victims to open it.

Zegost includes that several functionalities designed to clear the Application, Security, and System event logs after the infection to fly under the radar to evade the detection.

The main purpose of Zegost is to steal and exfiltrate information. Here is a list of its data collection processes and functions.

  • It starts by identifying the targeted machine’s OS version number and the number and speed of processors.
  • It then checks to see if any of the following processes are running and sends the list out to the C2 server:

360tray.exe, 360sd.exe, avp.exe, KvMonXP.exe, RavMonD.exe, Mcshield.exe, egui.exe, NOD32, kxetray.exe, avcenter.exe, ashDisp.exe, rtvscan.exe, ksafe.exe, QQPCRTP.exe, K7TSecurity.exe, QQ.exe, QQ, knsdtray.exe, TMBMSRV.exe, Miner.exe, AYAgent.exe, patray.exe, V3Svc.exe, QUHLPSVC.EXE, QUICK HEAL, mssecess.exe, S.exe, 1433.exe, DUB.exe, ServUDaemon.exe, BaiduSdSvc.exe, vmtoolsd.exe, usysdiag.exe

  • Connection State – Zegost checks to see which of the following connections are running and then sends the list out to the C2 server:

INTERNET_CONNECTION_MODEM, INTERNET_CONNECTION_LAN, INTERNET_CONNECTION_PROXY, INTERNET_CONNECTION_MODEM_BUSY

  • RDP port number – Zegost collects this information and then sends it out to the C2 server
  • QQ login number – Zegost collects this information and then sends it out to the C2 server
  • Keystroke Recorder: This variant records keystrokes, saves a log of them to %CSIDL_SYSTEM%\MODIf.html in the following translated format, and then sends that information out to the C2 server:

[Title:] window title
[Time:] year-month-date hour:min: sec

[Content:] pressed keys including special keys like SHIFT, INSERT, F1-12 keys, etc.

All of the information collected above is sent to the following C2 servers:

  • hxxp://lu1164224557.oicp.net:45450
  • hxxp://212951jh19.iok.la:9988

According to Fortinet research, “Our observations for this latest run, however, reveal that multiple subdomains that act as the command and control are based on Dynamic DNS domains (DDNS), and are coming from other locations beyond China, such as Singapore, Taiwan, and the United States.”

For any Cyber Security information contact help@theweborion.com