Playbook

Malware Threat: Zegost

Description

Zegost has been historically attributed to Chinese cybercriminals, a fact that has been documented in various worldwide global campaigns. Zegost has been around since approximately 2011. Since that time there have been many iterations of Zegost, and the numerous updates to its functionality have been well documented. In addition, the threat actors behind Zegost have been known to be especially persistent and crafty, utilizing an arsenal of exploits to ensure they establish and maintain a connection to identified victims.

One example of this craftiness is found in their ability to leverage multiple exploits, most notably the leak of documented exploits used by The Hacking Team, an Italian for-profit offensive security company that provided tools for use by law enforcement and government agencies in 2015. Another example of the craftiness of the attackers behind Zegost is a novel attack technique used against Microsoft PowerPoint, where once an infected PowerPoint file is opened, a "Loading... Please wait" hypertext message appears. If a user hovers their mouse over those words it triggers an infection chain that delivers the Zegost malware payload through PowerShell.

FortiGuard Labs has detailed their findings of a malicious email campaign targeting a Chinese government agency. While we do not have any insight as to why the attackers behind Zegost decided to focus their campaign on a Chinese government agency, based on past behavior, we can at the very least assume that it was to gather intelligence of some kind to support the information-stealing nature of the malware.

For more information on the TTPs used by Zegost, read the blog listed in the appendix and go to our Playbook Viewer and select Zegost from the menu.

Appendix