Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1036.005 (Masquerading: Match Legitimate Name or Location) Mimicking 7-zip.org content and structure.
T1543.003 (Create or Modify System Process: Windows Service) Creates an auto-start service running as SYSTEM.
T1090 (Proxy)
Routes external traffic through the victim's host.
T1497 (Virtualization/Sandbox Evasion)
Checks for VMware, VirtualBox, QEMU, and Parallels.
CVE Profile
[N/A] (Social Engineering / Trojan)
Telemetry & IOCs
Distribution Domain
7zip[.]com (Do NOT visit).
C2/Exfiltration Domain
iplogger[.]org.
File System Artifacts
C:\Windows\SysWOW64\hero\Uphero.exe
C:\Windows\SysWOW64\hero\hero.exe
C:\Windows\SysWOW64\hero\hero.dll
Network Activity
Outbound connections on non-standard ports 1000 and 1002.
DNS-over-HTTPS (DoH) via Google resolvers.
Certificates: "Jozeal Network Technology Co., Limited".
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV)
Command
Update Software Procurement Policy to explicitly whitelist 7-zip.org and blacklist 7zip[.]com.
DETECT (DE)
Command
Configure EDR to alert on process creation of Uphero.exe or hero.exe originating from SysWOW64.
Command
Query network logs for traffic to iplogger[.]org or high-frequency outbound connections on ports 1000/1002.
RESPOND (RS)
Command
Isolate affected endpoints.
Command
Terminate the associated Windows Service (SYSTEM privileges).
Command
Review firewall modifications; the malware uses netsh to modify rules.
RECOVER (RC)
Command
Re-image compromised hosts (recommended due to SYSTEM level persistence).
IDENTIFY & PROTECT (ID/PR)
Command
Implement DNS filtering to block newly registered domains or known proxyware C2s.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Disconnect from the internet immediately. The malware turns your PC into a proxy for potentially illegal activities.
Priority 2: Eradication
Command
Boot into Safe Mode.
Command
Navigate to C:\Windows\SysWOW64\ and check for a folder named hero. If found, this confirms infection.
Command
Run a full scan with a reputable non-resident antivirus (e.g., Microsoft Defender Offline or Malwarebytes Free) to remove the service and files.
Priority 3: Persistence
Command
Check your firewall settings for unauthorized allowed programs. The malware modifies these rules to allow traffic.
Hardening & References
Source of Truth
Always download 7-Zip from the official repository: 7-zip.org.
Warning
Avoid clicking download links in YouTube tutorials or promoted search results.
Source
BleepingComputer (Original Report)
Official 7-Zip Repository
Note: This is the only valid source. All others should be blocked at the network perimeter.
www.bleepingcomputer.com
. The original researcher's publication didn't include the malware installer's hash, but the proxy's binaries are already all detected by MD.
.
