⚠️ Overview

ZeroT is a remote access Trojan (RAT) first documented in June 2021 by AhnLab’s ASEC security response center. It is attributed to the North Korean advanced persistent threat group APT37 (also known as Reaper, ScarCruft, or InkySquid) based on overlapping infrastructure, payload naming conventions, and targeting patterns observed in multiple campaigns. ZeroT functions as a stealthy backdoor, enabling persistent remote control of compromised systems for intelligence gathering and lateral movement.

🔧 Technical Capabilities

ZeroT propagates primarily through spear-phishing emails containing malicious HWP (Hangul Word Processor) documents or LNK shortcut files that exploit the Hancom Office vulnerability CVE-2017-8291. The initial dropper downloads and injects the main RAT payload into a legitimate process using process hollowing (MITRE ATT&CK T1055.012). The malware establishes command-and-control (C2) communication over HTTPS to mimic normal web traffic, using a hardcoded list of fallback domains and IP addresses. It achieves persistence by creating a scheduled task or modifying the Registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). ZeroT employs anti-analysis techniques including API hammering (repeatedly calling functions to evade sandbox detection), timing delays, and checking for debugger presence. Capabilities include file upload/download, keylogging, screen capture (T1113), and execution of arbitrary shell commands via cmd.exe.

📜 History & Notable Incidents

ZeroT first appeared in targeted attacks against South Korean government agencies, think tanks, and defense contractors in the second half of 2021. A major campaign in October 2021 used themed lures referencing inter-Korean relations and COVID-19 to deliver ZeroT alongside the BLUELIGHT backdoor. No law enforcement takedowns have been publicly reported, but multiple vendor reports (AhnLab ASEC blog, September 2021; Kaspersky APT Trends, Q3 2021) detail the infrastructure. The malware has not been linked to any specific CVE IDs beyond the initial exploit vector.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from AhnLab). Behavioral indicators: creation of scheduled tasks named “AdobeFlashUpdate” or “JavaUpdate”, network connections to domains ending in .xyz or .top on port 443, and Registry Run keys referencing random 8-character executable names. User-Agent strings often mimic Chrome (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36”). Mutex names follow patterns like “GlobaleroT_Mutex_” followed by a hex string.

☠️ Risk & Impact

ZeroT enables full remote access, allowing APT37 to exfiltrate sensitive documents, credentials, and diplomatic communications from compromised systems. The primary impact is intellectual property theft and geopolitical intelligence gathering, affecting South Korea’s national security and defense sectors. Financial losses are indirect but significant, often leading to remediation costs, system rebuilds, and reputational damage for targeted organizations.

🛡️ Mitigation

Defenders should block execution of HWP attachments from untrusted senders (CVE-2017-8291 patch), enable AMSI and ASR rules for script-based attacks, and monitor for unusual scheduled tasks or outbound HTTPS connections to newly registered .xyz/.top domains. Deploy YARA rules targeting the ZeroT memory signature (available from AhnLab’s public repository) and restrict lateral movement using Windows Defender Firewall with allowed IP whitelists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.