Hidden malware dubbed 'Zombie Zero', in Chinese inventory scanners

Status
Not open for further replies.
Ink

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Content source
http://www.pcworld.com/article/2453100/malware-hidden-in-chinese-inventory-scanners-targeted-logistics-shipping-firms.html
Financial and business information was stolen from several shipping and logistics firms by sophisticated malware hiding in inventory scanners manufactured by a Chinese company.

The supply chain attack, dubbed “Zombie Zero,” was identified by security researchers from TrapX, a cybersecurity firm in San Mateo, California, who wrote about it in a report released Thursday.

TrapX hasn’t named the Chinese manufacturer, but said that the malware was implanted in physical scanners shipped to customers, as well as in the Windows XP Embedded firmware available for download on the manufacturer’s website.

The malware was designed to launch attacks using the SMB (Server Message Block) protocol and the Radmin remote control protocol when the infected inventory scanner was connected to a company’s wireless network. It then looked for ERP (enterprise resource planning) servers with the word “finance” in their names and used known exploits to compromise them, said Carl Wright, executive vice president and general manager of TrapX.

Wright declined to name the targeted ERP software, but said that it’s a very popular one that runs on Linux.

Read more: http://www.pcworld.com/article/2453...anners-targeted-logistics-shipping-firms.html
 
  • Like
Reactions: Littlebits and XhenEd
Littlebits

Littlebits

Retired Staff
May 3, 2011
3,893
Inventory Scanners Rigged with Malware for Shipping and Logistics Firms
- Malware targeted financial ERP servers
Hardware from a Chinese manufacturer has been detected to carry polymorphic advanced persistent malware that would target the shipping and logistics industry.

Researchers at TrapX, a San Mateo, California, security firm, wrote in a report that the malicious code reached the affected companies through the Windows Embedded XP operating system that was available on the hardware of the inventory devices, and it was installed at the manufacturer’s factory in China.

The malware, dubbed “Zombie Zero” and believed to be state-sponsored by TrapX, would also be available in the firmware download on the company’s support website.

The security firm says that the malware would begin its attack immediately after the infected device would be connected to the wireless network and put into production.

It would use the server message block (SMB) protocol through port 135/445 and relied on polymorphism to gain persistence on the attacked systems.

Researchers found that one of the victims whose systems were compromised by Zombie Zero, foiled its attack through SMB thanks to firewall-based network segmentation, but the malware then initiated a second attempt, using the RADMIN protocol on port 4899, which assured its infiltration into more than nine servers.

The threat appears to have a clear mission as it initiates attacks against ERP (enterprise resource planning) servers with specific words in their host name. One such keywords discovered by TrapX is “finance.”

After detecting the financial ERP server, malware would be uploaded from the scanner, in order to establish “a comprehensive command and control connection (CnC) to a Chinese botnet that terminated at the Lanxiang Vocational School located in ‘China Unicom Shandong province network’,” researchers from TrapX write in a report.

The complexity of the operation does not stop at this because a second payload would be downloaded from the botnet, one that would set “a more sophisticated CnC of the company’s finance server.”

With the communication system all set up, the operator behind Zombie Zero would have complete access to the information available on the victim’s network, which included all the details of the worldwide operations of the company (financial data, customer data, detailed shipping and manifest information).

To protect themselves from attacks, shipping and logistics companies install security certificates on the scanning terminals. However, in this case, such an action would be useless because the devices would come compromised straight from the manufacturer.

“Today’s threat actors are smarter than ever morphing their attacks multiple times to achieve the goal of undermining existing security defenses. The next generation of security solutions must be just as adaptable to counter these modern threats,” said David Monahan, Research Director at Enterprise Management Associates to TrapX.

Source
 
  • Like
Reactions: Cowpipe and Malware1
D

Deleted member 178

this is all about business & economic war, this is not the works on common security/websites hackers but hired professionals.
 
  • Like
Reactions: Oxygen
Status
Not open for further replies.

Similar threads

MuzzMelbourne
    • Like
    • +Reputation
New AhRat Android malware hidden in app with 50,000 installs
Replies
0
Views
879
News Archive
MuzzMelbourne
MuzzMelbourne
silversurfer
    • Like
    • Wow
New Variant of Chinese Gimmick Malware Targeting macOS Users
Replies
0
Views
906
News Archive
silversurfer
silversurfer
LASER_oneXM
    • Like
Chinese hackers use Windows zero-day to attack defense, IT firms
Replies
0
Views
676
News Archive
LASER_oneXM
LASER_oneXM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top