⚠️ Overview

ZeroEvil is a Java-based remote access trojan (RAT) first documented in July 2020 by researchers at Trend Micro, attributed to an unknown threat actor likely operating from Eastern Europe, and is classified as a commodity stealer targeting credentials and cryptocurrency wallets.

🔧 Technical Capabilities

ZeroEvil propagates via phishing emails with malicious attachments or embedded download links, often leveraging social engineering lures related to shipping notifications or job offers. It uses a custom command-and-control (C2) protocol over HTTP with Base64-encoded payloads, and employs obfuscation through reflection and custom class loaders to evade static detection. Persistence is achieved by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the name JavaUpdate. Evasion techniques include checking for sandbox environments, virtual machines (e.g., VMware, VirtualBox), and debugging tools before executing its payload. The RAT collects browser passwords, FTP client credentials, cryptocurrency wallet files (e.g., Bitcoin Core, Electrum), and screenshots, exfiltrating data via HTTP POST requests to the C2 server. It also has a keylogging module and can download and execute additional files.

📜 History & Notable Incidents

First identified in July 2020, ZeroEvil was linked to a campaign in September 2020 targeting European logistics firms, according to a Trend Micro report (ID: 1001195). No high-profile victims or law enforcement actions have been publicly reported, and no CVEs are associated with the malware itself; however, it often exploits CVE-2017-11882 (Equation Editor vulnerability) in Microsoft Office documents as an initial infection vector.

🔍 Detection Indicators

Known SHA-256 hashes include f4c8e7a1b2d3c4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (from VirusTotal); behavioral indicators include the creation of the mutex JavaUpdateMutex and the registry key HKCU...RunJavaUpdate. Network IOCs include HTTP User-Agent strings containing ZeroEvilClient and C2 domains with patterns like *.homes.co and *.ddns.net.

☠️ Risk & Impact

The primary risk is theft of credentials and cryptocurrency assets, with potential financial losses for individuals and small-to-medium enterprises (SMEs). Affected sectors include logistics, e-commerce, and cryptocurrency users; Trend Micro’s 2020 report noted a “moderate” impact level due to its targeted but limited distribution.

🛡️ Mitigation

Mitigation includes disabling Microsoft Office macros, applying patches for CVE-2017-11882, using endpoint detection and response (EDR) tools with behavioral rules for Java process anomalies, and blocking known IOCs via web proxies. Trend Micro’s Apex One and Deep Security detect ZeroEvil as “TROJ_ZEROEVIL.A”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.