Chinese state-sponsored hackers targets Russia and Belarus with ZeroT and PlugX

According to the firm ProofPoint, Chinese state-sponsored actors continues to spy on military and aerospace organizations in Russia and Belarus.

Chinese state-sponsored actors are spying on military and aerospace interests in Russia and Belarus. According to the experts from Proofpoint, the attacks began in the summer of 2016, the Chinese hackers launched a spear-phishing campaign leveraging a new downloader known as ZeroT in order to deliver the PlugX RAT.

Researchers explained that in the past the same threat actors conducted spear-phishing campaigns using Microsoft Word document attachments that were able to trigger the CVE-2012-0158, or containing malicious URLs pointing to .rar-compressed executable nasties.

The Proofpoint analysis revealed that Russian firms are among the targets of the group.

The Chinese hackers switched tactics for spying on Russian jet makers once completed the development of the ZeroT malware.

“Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.” reads the analysis published by ProofPoint. “Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.”

This analysis of ZeroT malware revealed it used obfuscation techniques to avoid the detection, a significant number of samples analyzed by the expert contained the file named Go.exe which allows the Windows UAC bypass.

ZeroT communicates with the C&C server over HTTP, it also uses a fake User-Agent in all the requests.

“Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a typo of “Trident.” In all the samples we observed, ZeroT first beacons to index.php expecting an RC4-encrypted response using a static key: “(*^GF(9042&*”. continues the analysis

Chinese nation-state hackers tied the PLA already targeted in the past US and European firms in the aerospace industry.

Chinese hackers were behind the cyber espionage campaign on the Lockheed Martin F-35 Joint Strike Fighter that caused the arrest of a Chinese national.

On July 2016, US sentenced the Chinese hacker involved in the theft of industrial secrets on the F-22 and F-35 fighter jets, C-17 transport aircraft and F-35 aircraft.

Military experts know very well that many Russian and US jets were almost identical to the once developed by China.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chinese state-sponsored hackers, cyber espionage)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.