New Zegost malware campaign targets Chinese government agency

• The attackers used spearphishing in this campaign to distribute Zegost malware.
• The malware is known to collect specific information from the infected machines. However, this new variant also records keystrokes.

Security researchers have identified a new malware campaign directed against a Chinese government agency wherein the threat actors deployed an info-stealing malware known as Zegost. It is speculated that the malware was used to gather some form of intelligence from the government agency. Discovered by researchers from Fortinet, the malware is known to perform a number of malicious actions after infecting target machines.

The big picture

• Zegost is spread through an email that contains a malicious attachment. The email content mentions the attachment as a ‘web video plugin’.
• In a blog post, Fortinet researchers detailed the various processes and functions Zegost performed after infecting the target machines.
• It first captures the targeted machine’s OS version and processor information. It also checks what applications the machine is running and sends that information to a C2 server.
• Following this, it collects information such as internet connection state, RDP port number, as well as QQ login numbers.
• This new variant of malware is also known to record keystrokes. The keystroke information is stored in a log file and sent to the C2 server.
• In addition, this variant can also launch processes in order to evade detection from antivirus software.

An emerging campaign

Fortinet researchers also indicate that this attack campaign is slowly growing in its operations. “At the time of our discovery, as well as during our initial observation of this spearphishing campaign, we were curious to see if this was a one-off campaign. However, our analysis now confirms that this is an emergent campaign that was in progress at the time we discovered it,” wrote the researchers.

The attack campaign is also reported to have used the same infrastructure that was previously used in other campaigns that distributed malicious APKs, backdoors, and DDoS botnets.