ZeroEvil Remote Access Trojan

ZeroEvil is a newly observed remote access trojan based on the established ARS Loader malware.

Once installed, ZeroEvil has much of the same functionality as ARS Loader, including being able to exfiltrate user and system credentials, performing script injection attacks on popular Internet browsers and stealing cryptocurrency wallet keys. At present the downloader module appears to be non-functioning, and the distributed denial-of-service module used by ARS is not included in ZeroEvil.

ARS Loader has been around since December 2017. It has since evolved. The base code collected system information from the infected computer and sent it back to the C&C, receiving a response which could contain different executable commands. The basic commands allowed the bot to download and launch executables, download and execute plugins/dlls, update the bot, uninstall and perform a Denial of Service (DoS) attack.

AirNaine / TA545, the actor behind these campaigns targeting Canadian businesses, tries to collect email addresses belonging to Canadian corporate accounts, use them to spread malware against them, tries to steal credentials from the victims to monetize these accounts, probably looking specifically for banking accounts. This actor has been changing tools and tactics during its years of activity, implying that the profit incentive is more important to its user than the means.

Indicators Of Compromise

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: