Chinese state-sponsored hackers targets Russia and Belarus with ZeroT and PlugX

According to the firm ProofPoint, Chinese state-sponsored actors continues to spy on military and aerospace organizations in Russia and Belarus.

Chinese state-sponsored actors are spying on military and aerospace interests in Russia and Belarus. According to the experts from Proofpoint, the attacks began in the summer of 2016, the Chinese hackers launched a spear-phishing campaign leveraging a new downloader known as ZeroT in order to deliver the PlugX RAT.

Researchers explained that in the past the same threat actors conducted spear-phishing campaigns using Microsoft Word document attachments that were able to trigger the CVE-2012-0158, or containing malicious URLs pointing to .rar-compressed executable nasties.

The Proofpoint analysis revealed that Russian firms are among the targets of the group.

The Chinese hackers switched tactics for spying on Russian jet makers once completed the development of the ZeroT malware.

“Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.” reads the analysis published by ProofPoint. “Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.”

This analysis of ZeroT malware revealed it used obfuscation techniques to avoid the detection, a significant number of samples analyzed by the expert contained the file named Go.exe which allows the Windows UAC bypass.

ZeroT communicates with the C&C server over HTTP, it also uses a fake User-Agent in all the requests.

“Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a typo of “Trident.” In all the samples we observed, ZeroT first beacons to index.php expecting an RC4-encrypted response using a static key: “(*^GF(9042&*”. continues the analysis

Chinese nation-state hackers tied the PLA already targeted in the past US and European firms in the aerospace industry.

Chinese hackers were behind the cyber espionage campaign on the Lockheed Martin F-35 Joint Strike Fighter that caused the arrest of a Chinese national.

On July 2016, US sentenced the Chinese hacker involved in the theft of industrial secrets on the F-22 and F-35 fighter jets, C-17 transport aircraft and F-35 aircraft.

Military experts know very well that many Russian and US jets were almost identical to the once developed by China.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chinese state-sponsored hackers, cyber espionage)