ZeroT is a trojan malware used by a Chinese cyber-espionage group since at least mid-2016, targeting military and aerospace sectors in Russia and Belarus. The group uses ZeroT to install the PlugX remote access trojan (RAT). The attackers use spear-phishing emails with malicious Microsoft Word attachments to exploit the victim's machine. After the document is opened, Russian text is displayed and a User Account Control (UAC) window appears, requesting permission to execute an unknown application. If the victim runs the executable, ZeroT is downloaded and attempts to contact its C2 server to upload data from the victim's system. It also downloads a variant of the PlugX RAT using steganography, hiding the malware in an image of Britney Spears.

Technical Analysis

  • Proofpoint provides technical analysis on the ZeroT trojan, available here.