The downloaded installer was svhost.exe, which has following file structure:įigure 5: APT RAT like Zegost installer archive The Zegost payload was being delivered as part of an installer archive, which is similar in structure to the APT RAT PlugX and HttpBrowser as detailed here. Payload Type #1 - APT RAT like Zegost Installer Zegost Payload IterationsDuring the course of our monitoring we observed the attackers switch the malware payload multiple times.
Upon successful exploitation, the embedded shellcode will trigger the download and execution of the Zegost executable from a predetermined location.įigure 3: Hacking Team's Adobe Flash Exploitįigure 4: Embedded shellcode to download & install Zegost The Flash exploit payload (CVE-2015-5119) involved here is from the Hacking Team's leaked archive with updated shellcode. Attackers are abusing the Chinese URL shortening service t.cn to redirect victims to the attack server and also Baidu's URL shortening service dwz.cn to deliver the Adobe Flash exploit payload as seen below: The site is still infected but the exploit server appears to be down at the time of writing this blog. The majority of users were led to the original compromised site following a Baidu search.įigure 1: Compromised Chinese real estate & shopping site The injected script will cause a series of redirects leading to Hacking Team's exploit payload as seen in Figure 1. Attack ChainThe infection cycle starts with a legitimate Chinese real estate and shopping site which appears to have been compromised by the attackers and contains an injected script. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. IntroductionZscaler ThreatLabZ has been closely monitoring the usage of Hacking Team's leaked exploits in the wild since July, 2015 and recently uncovered the Emissary Panda APT attack leveraging these exploits.