**Darien Huss, Pierre T, Axel F and Proofpoint** **Staff** **Overview** **Although state-sponsored attacks against the United States by Chinese threat actors have** **decreased dramatically since the signing of the US-China Cyber Agreement in 2016,** **Proofpoint researchers have continued to observe advanced persistent threat (APT) activity** **associated with Chinese actors targeting other regions. We have previously written about** **related activity [2][3] in which a particular China-based attack group used PlugX and** **NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other** **neighboring countries. Most recently, we have observed the same group targeting military and** **aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using** **a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added** **Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-** **phishing emails.** **This blog details the function of the new malware, provides delivery details for elements of the** **APT activity, and describes additional changes in tactics, techniques, and procedures (TTPs)** **associated with this group.** **Delivery** **In previous campaigns, the group used spear-phishing emails with Microsoft Word document** **attachments utilizing CVE-2012-0158, or URLs linking to RAR-compressed executables.** **Although some of these patterns of behavior still continue, in June 2016 we observed the** **attackers using a new type of dropper to deliver a previously unknown malware we named** **"ZeroT". Specifically, the CHM file 20160621.chm (SHA256:�** **4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff) dropped the** **first known sample of ZeroT �** ----- **and may consist of HTML pages and other compressed files. This particular CHM contained�** **an HTM file and an executable file. The HTM file contained the text displayed to the user and�** **referenced the executable svchost.exe (SHA256:** **d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375). Thus, opening** **the CHM has the effect of running the executable (the UAC dialog is shown in Figure 1).** **_Figure 1: The dropper file 20160621.chm with a Russian-language lure pretends to be from�_** **_the “Defense Industry of Russia in the 21st Century”; user must accept the UAC warning_** **_before malware executes.​​​_** ----- **_Figure 2: Listing of the files in the CHM file and their partial contents�_** **Attackers also continued to send spear-phishing emails with Microsoft Word attachments** **utilizing CVE-2012-0158 to exploit the client. These documents were built with MNKit,** **described in detail here [6][7]. For example, the email with subject “Федеральная целевая** **программа 2017-2020 гг.” (translated from Russian: “Federal Target Program 2017-2020 gg.”)** **contained an attachment “2017-2020.doc” and was sent to a potential victim in an aerospace** **company in December 2016.** **_Figure 3: Email sent to potential victim in aerospace company contained a MNKit-generated_** **_CVE-2012-0158 exploit document_** ----- **extracting executables) of ZeroT; example names are listed in the table below. Several refer to** **Commonwealth of Independent States (CIS), a regional organization that includes nine out of** **the fifteen former Soviet Republics, including Russia and Belarus [5].�** **Filename** **Translation** **Изменения в списке аффилированных лиц по** **состоянию на 21.06.2016 г.scr** **УВЕДОМЛЕНИЕ О** **КОНФИДЕНЦИАЛЬНОСТИ.rar** **ПОВЕСТКА ДНЯ 72-го заседания** **Экономического совета Содружества** **Независимых Государств.rar** **Changes in the list of affiliates as of 06.21.2016�** **g.scr** **NOTICE of CONFIDENTIALITY.rar** **AGENDA OF THE DAY for 72-nd meeting of the** **Economic Council of the Commonwealth of** **Independent States.rar** **Проекты.scr** **Projects.scr** **План.scr** **Plan.scr** **08_11_2016 СНГ.7z** **08_11_2016 CIS.7z** **_Table 1: Examples of RAR compressed executables or simply .scr executables of ZeroT_** **Analysis** **This section provides an analysis of ZeroT, its delivery and obfuscation techniques.** **UAC Bypass and Sideloading** **Throughout our investigation, many of the analyzed ZeroT RAR SFX samples (e.g.** **67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b) contained a file�** **named Go.exe which performs Windows UAC bypass. This executable contains a PDB path** **indicating its purpose of bypassing UAC (Fig. 4).** **_Figure 4: PDB path containing Chinese characters translating to “Desktop”_** **This executable is obfuscated using the same technique that is reused in the sideload DLL** **and the ZeroT payload (described later). When run, Go.exe modifies the registry key shown in�** **Figure 5 to perform the UAC bypass by exploiting Event Viewer [1].** ----- **_eventvwr.exe_** **It then executes eventvwr.exe which proceeds to execute Zlh.exe using the UAC bypass** **vulnerability (Fig. 6).** **_Figure 6: Zlh.exe is executed via the eventvwr.exe UAC bypass vulnerability_** **[Zlh.exe is a legitimate, signed Norman Safeground AS application, which is used to sideload a](https://en.wikipedia.org/wiki/Norman_Safeground)** **malicious nflogger.dll DLL.The encrypted ZeroT payload is usually named NO.2.mui. The�** **sideloaded DLL does not always use the same vulnerable executable, but it is always similar** **in functionality. Usually the DLL is not packed, but we have observed instances compressed** **[by UPX. This malicious DLL is usually obfuscated with the same junk code: dummy API calls](https://upx.github.io/)** **inserted in between real instructions (Fig. 7). The same obfuscation can be found in multiple** **functions in ZeroT itself.** **_Figure 7: Dummy API calls for obfuscation_** **This DLL has no other noticeable characteristics, as it functions like a typical malicious** **sideload. After loading the encrypted payload in memory, it transfers the execution to a** **shellcode that is located at the beginning of the file. Even if the process is similar for the PlugX�** **RAT sideloaded later, the shellcode and obfuscation have nothing in common. Once loaded in** **memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX.** **This shellcode is charged with unpacking the encrypted and compressed payload. As in the** **new PlugX dropper detailed below this is done using RC4 and RtlDecompressBuffer As in** ----- **“PE” constants (Fig. 8). On some PlugX versions, either “GULP” or “XV” are common as tags** **replacing the “MZ” constant.** **_Figure 8 : Altered ZeroT PE Header_** **ZeroT Command and Control Protocol** **ZeroT communicates with its command and control (C&C) over HTTP. A fake User-Agent is** **used in all the requests made by this malware: “Mozilla/6.0 (compatible; MSIE 10.0; Windows** **_NT 6.2; Tzcdrnt/6.0)”, with “Tzcdrnt” possibly being a typo of “Trident.” In all the samples we_** **observed, ZeroT first beacons to �index.php expecting an RC4-encrypted response using a** **static key: “(*^GF(9042&*” (Fig. 9).** **_Figure 9: ZeroT initial beacon over HTTP requesting URL configuration�_** **In the decrypted initial server response (Fig. 10,11), ZeroT expects several URLs including a** **location to POST system information prefixed with “w:” and a download location for any stage�** **2 payloads denoted with an “r:” prefix.�** ----- **_Figure 10: Decrypted tassnews[.]net index.php response containing several URLs_** **Next, ZeroT uses HTTP POST beacons to transmit information about the infected system to** **the C&C. The first beacon contains the following data: “�Cn=%s&La=%s&” where Cn is the** **computername and La is the local IP address (Fig. 11). While the first beacon is transmitted in�** **cleartext it is probable that this behavior was unintentional as subsequent POST beacons in** **the loop are encrypted. The first POST beacon is followed by another in the following format�** **(Fig. 11,12):** **“Lg=%d&Pv=%d&Bu=%%s&Cn=%s&Cu=%s&Dn=%s&Ki=%s&La=%s&Me=%s&Os=%s&Ov=** **_%s&Pt=%s&Fl=%%d” that is RC4-encrypted with the following key: “s2-18rg1-41g3j_.;”. This_** **POST sends basic fingerprinting data including computer name, system language, domain�** **information and Windows versioning.** **Figure 11: Initial plaintext POST beacon** **Figure 12: RC4-encrypted POST beacon** **The final piece of ZeroT’s C&C protocol is to retrieve any stage-2 payloads. In the initial�** **samples of ZeroT, the tassnews[.]net C&C was used to distribute plain, non-encoded PE** **payloads (Fig. 13). Although we were not able to retrieve all the payloads that may have** **existed at this C&C, the ones we did observe were RAR SFX archives used to deliver PlugX.** ----- **Figure 13: ZeroT downloading non-encoded PlugX Stage 2** **The ZeroT samples communicating to versig[.]net functioned differently from samples using** **tassnews[.]net where Bitmap (BMP) [8] URLs (Figure 14) were provided as a stage 2 payload** **instead of EXEs (Fig. 14).** **_Figure 14: Decrypted versig[.]net index.php response with F.bmp stage 2_** **The BMPs used for stage 2 in all the instances we analyzed looked like normal images (Fig.** **15, 16) which indicated a form of steganography is being used that minimizes changes to the** **appearance of the image.** ----- **_Analysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB)�_** **Steganography [9,10], a commonly used form of steganography that embeds data in an image** **without significantly affecting its appearance.�** **Analysis of ZeroT’s Bitmap LSB Steganography** **ZeroT uses a single, large function for the custom LSB algorithm that occurs as the first�** **function in the samples we analyzed. It may selectively choose to extract one, two, three, or** **four bits per pixel byte depending on the size of the embedded payload and the image being** **used, meaning it is capable of 1-, 2-, 3-, and 4-bit LSB (Fig. 16).** **_Figure 16: Diagram depicting portions of ZeroT’s LSB steganography algorithm_** ----- **Bitmap is assumed while calculating the size of memory needed (3*Width*Height) to store all** **the pixels in the image, which is allocated using malloc. Next, because Bitmaps are padded to** **32-bit boundaries, ZeroT will check to see if any padding exists by AND’ing 3*Width. If that** **value is not zero, then it is subtracted from four which is then used as the padding.** **The following step in the algorithm is to assemble the bitmap row by row. Technically what** **occurs is as follows: iteratively 3*Width bytes, beginning at the hardcoded offset of 54, are** **copied to the end of the previously allocated memory (malloc’d 3*Width*Height). Padding is** **then skipped, if any exists, followed by the next 3*Width bytes until all rows of pixels are** **copied.** **Next, starting at offset 10 of the assembled bitmap, ZeroT extracts a 32-bit value from 32-** **bytes using 1-bit LSB that is used to indicate the size of the embedded stage 2 payload. The** **stage 2 file extension is then extracted starting at offset nine and working its way backwards�** **until a period is found (e.g., “.exe”).** **Finally, ZeroT checks various values such as the image length against the needed bits to** **complete the length of the extracted payload [8*len(extracted payload)]. Depending on the** **result, ZeroT will decide to use 1-, 2-, 3-, or 4-bit LSB. Lastly, once each bit is extracted, all the** **bits will be compiled into bytes to form the extracted stage 2 payload.** **Stage 2 Payloads** **Until the end of 2016, PlugX payloads were delivered as RAR SFX archives and used one of** **the usual sideload executables such as fsguidll.exe. ZeroT sets up the persistence for these** **samples, adding a new service to run PlugX during system startup (Fig 17).** **_Figure 17: ZeroT configures PlugX service to run during startup�_** **Of interest, a recent ZeroT sample (SHA256:** **a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8) downloaded a** **much smaller BMP payload (SHA256:** **25de9c3f7bf1f0be7eb84cf90efb643d5d51ce1742da8bcc4c7db0eec79a221f). This was an** **example where the stage 2 payload was distributed using a custom dropper instead of RAR** **SFX Thi d** **l** **d th** **(Fi** **18) d** **t th** **i** **th** **MD5 h** **h** **f** ----- **implementation) and decompresses it with LZNT1 via the RtlDecompressBuffer API. There are** **three Resource items contained in the payload that would eventually decrypt to: “fsguidll.exe”,** **“fslapi.dll”, and “flsapi.dll.gui�.” Unfortunately, when the payload extracted from the BMP is** **executed, no command line argument is provided so none of the resources are properly** **decrypted and decompressed. Based on the file names and size of fslapi.dll.gui, it is very likely�** **that PlugX is the intended stage 2 payload.** **_Figure 18: Resources loaded by the custom dropper_** **Finally, in all other cases where a stage 2 payload was successfully retrieved, PlugX was** **delivered. None of the PlugX samples that we analyzed were issued from new builders** **(internal version 20141028), and therefore they do not present any kind of new techniques.** **The extracted PlugX configurations are provided in Appendices A and B [11].�** **Infrastructure Links** **In addition to their similar TTPs, ZeroT infrastructure has been continuously shared with** **NetTraveler and both malware families share the same C&C domains.** **•** **•** **•** **The C&C domain www.tassnews[.]net was used by initial samples of ZeroT in June 2016.** **It was concurrently used by NetTraveler (example SHA256:** **b43cbc905088c08ee3b71b6e053f91f2c79d71556462eae1c13f1cc8eb5bec72) as well as** **long prior [3]** **The C&C domain www.riaru[.]net was observed used by at least one sample of ZeroT** **(SHA256: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478).** **This domain was previously tied to NetTraveler as well [3]** **The C&C domain www.versig[.]net is used by many samples of ZeroT from September** **2016 to January 2017. This domain was also used by many NetTraveler samples as well** **(example SHA256:** **0d6d789d603d6d9ba68131592fd595c4d82c0288be309876d27a53466158b312) in the** **time frame from October 2016 to January 2017** **The PlugX samples downloaded by ZeroT exhibit infrastructure connections to PlugX samples** **described in our 2015 blog about this group, “In Pursuit of Optical Fibers and Troop Intel:** **Targeted Attack Distributes PlugX in Russia” Specifically:�** ----- **(SHA256: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa)** **downloaded by ZeroT (SHA256:** **d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375). This** **domain was also used by PlugX samples described in the 2015 blog** **Note also an interesting connection: the hostname www.riaru[.]net resolved to IP** **103.200.31[.]110 which also responded for yandax[.]net. One of the PlugX C&Cs** **(www[.].micrnet[.]net) resolved to 103.229.28[.]133 which also resolved to yandcx[.]com.** **_Figure 19: Illustration of infrastructure connections on a limited set of samples_** **Conclusion** **This APT activity represents both a change in TTPs as well as the introduction of new malware** **known as ZeroT by a Chinese state-sponsored attack group that we have previously** **associated with multiple campaigns. Proofpoint researchers have predicted that APT activity** **will continue to increase in the coming year and we will continue to track developments among** **state-sponsored actors.** **References** **[1] https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-�** **hijacking/** **[[2] https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia)** **[3] https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-** **interests** **[[4] https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help](https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help)** **[[5] https://en wikipedia org/wiki/Commonwealth of Independent States](https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States)** ----- **reveals-some-common-threads/** **[7] https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-�** **exploit-generators-szappanos.pdf** **[[8] https://en.wikipedia.org/wiki/BMP_file_format�](https://en.wikipedia.org/wiki/BMP_file_format)** **[[9] https://en.wikipedia.org/wiki/Least_significant_bit�](https://en.wikipedia.org/wiki/Least_significant_bit)** **[[10] http://www.aaronmiller.in/thesis/](http://www.aaronmiller.in/thesis/)** **[[11] https://github.com/arbor-jjones/volatility_plugins](https://github.com/arbor-jjones/volatility_plugins)** **Indicators of Compromise (IOCs)** **_RAR / 7-Zip archives_** **38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf** **ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097** **ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462** **f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168** **_CHM droppers_** **4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff** **ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2** **74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d** **_Word Exploit documents_** **9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58** **_ZeroT_** **09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0** **1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4** **399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343** **3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425** **67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b** **74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df** ----- **a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0** **a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8** **aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267** **b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8** **c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d** **c5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a** **d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375** **fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478** **97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4** **PlugX:** **b185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f** **3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa** **07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67** **_ZeroT C&C_** **www.tassnews[.]net** **www.versig[.]net** **www.riaru[.]net** **_PlugX C&C_** **www.micrnet[.]net** **www.dicemention[.]com** **_Likely Related C&C_** **www.rumiany[.]com** **www.yandcx[.]com** **ET and ETPRO Suricata/Snort Coverage** **2810326,ETPRO TROJAN PlugX Related Checkin** ----- **2821028,ETPRO TROJAN APT.ZeroT CnC Beacon HTTP POST** **2824640,ETPRO TROJAN APT.ZeroT CnC Beacon** **2824641,ETPRO TROJAN APT.ZeroT Receiving Config�** **Appendix A: Example PlugX Configuration�** **Sample hash: 07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67** **PlugX Config (0x36a4 bytes):�** **Hide Dll: 0** **Keylogger: -1** **Sleep1: 167772160** **Sleep2: 0** **Cnc: www.micrnet[.]net:80 (HTTP / UDP)** **Cnc: www.micrnet[.]net:80 (TCP / HTTP)** **Cnc: www.micrnet[.]net:80 (UDP)** **Cnc: www.micrnet[.]net:443 (HTTP / UDP)** **Cnc: www.micrnet[.]net:443 (TCP / HTTP)** **Cnc: www.micrnet[.]net:443 (UDP)** **Cnc: www.micrnet[.]net:53 (HTTP / UDP)** **Cnc: www.micrnet[.]net:53 (TCP / HTTP)** **Cnc: www.micrnet[.]net:53 (UDP)** **Persistence: Run key** **Install Folder: %AUTO%\TCMyXfeFAd** **Service Name: pQwEPnz** **Service Display Name: pQwEPnz** **Service Desc: Windows pQwEPnz Service** **Reg Hive: HKCU** ----- **Reg Value: mJqyCsNGBsge** **Injection: 1** **Inject Process: %windir%\explorer.exe** **Inject Process: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe** **Inject Process: %windir%\system32\svchost.exe** **Uac Bypass Injection: 1** **Uac Bypass Inject: %windir%\explorer.exe** **Uac Bypass Inject: %windir%\system32\rundll32.exe** **Uac Bypass Inject: %windir%\system32\dllhost.exe** **Uac Bypass Inject: %windir%\system32\msiexec.exe** **Plugx Auth Str: TEST** **Cnc Auth Str: DuICS** **Mutex: Global\WtMKAPYYxoWMoWW** **Screenshots: 0** **Screenshots Sec: 10** **Screenshots Zoom: 50** **Screenshots Bits: 16** **Screenshots Qual: 50** **Screenshots Keep: 3** **Screenshot Folder: %AUTO%\FS\screen** **Enable Tcp P2P: 1** **Tcp P2P Port: 1357** **Enable Udp P2P: 1** **Udp P2P Port: 1357** **Enable Icmp P2P: 1** ----- **Enable Ipproto P2P: 1** **Ipproto P2P Port: 1357** **Enable P2P Scan: 1** **P2P Start Scan1: 0.0.0.0** **P2P Start Scan2: 0.0.0.0** **P2P Start Scan3: 0.0.0.0** **P2P Start Scan4: 0.0.0.0** **P2P End Scan1: 0.0.0.0** **P2P End Scan2: 0.0.0.0** **P2P End Scan3: 0.0.0.0** **P2P End Scan4: 0.0.0.0** **Mac Disable: 00:00:00:00:00:00** **Appendix B: Example PlugX Configuration�** **Sample hash: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa** **Process: fsguidll.exe (3980)** **PlugX Config (0x36a4 bytes):�** **Hide Dll: 0** **Keylogger: -1** **Sleep1: 167772160** **Sleep2: 0** **Cnc: www.dicemention[.]com:80 (HTTP / UDP)** **Cnc: www.dicemention[.]com:443 (HTTP / UDP)** **Cnc: www.dicemention[.]com:25 (HTTP / UDP)** **Cnc: www.dicemention[.]com:80 (TCP / HTTP)** **Cnc: www.dicemention[.]com:443 (TCP / HTTP)** ----- **Cnc: www.dicemention[.]com:80 (UDP)** **Cnc: www.dicemention[.]com:443 (UDP)** **Cnc: www.dicemention[.]com:25 (UDP)** **Persistence: Service + Run Key** **Install Folder: %AUTO%\IZBpIciif** **Service Name: yAjUgUdMGHuvGaZ** **Service Display Name: yAjUgUdMGHuvGaZ** **Service Desc: Windows yAjUgUdMGHuvGaZ Service** **Reg Hive: HKCU** **Reg Key: Software\Microsoft\Windows\CurrentVersion\Run** **Reg Value: RqdFqFSYaBx** **Injection: 1** **Inject Process: %windir%\system32\svchost.exe** **Inject Process: %windir%\explorer.exe** **Inject Process: %ProgramFiles%\Internet Explorer\iexplore.exe** **Inject Process: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe** **Uac Bypass Injection: 1** **Uac Bypass Inject: %windir%\system32\msiexec.exe** **Uac Bypass Inject: %windir%\explorer.exe** **Uac Bypass Inject: %windir%\system32\rundll32.exe** **Uac Bypass Inject: %windir%\system32\dllhost.exe** **Plugx Auth Str: TEST** **Cnc Auth Str: NBz** **Mutex: Global\ksMoQGOTIBJXumYclXtcsAnx** **Screenshots: 0** ----- **Screenshots Zoom: 50** **Screenshots Bits: 16** **Screenshots Qual: 50** **Screenshots Keep: 3** **Screenshot Folder: %AUTO%\FS\screen** **Enable Tcp P2P: 1** **Tcp P2P Port: 1357** **Enable Udp P2P: 1** **Udp P2P Port: 1357** **Enable Icmp P2P: 1** **Icmp P2P Port: 1357** **Enable Ipproto P2P: 1** **Ipproto P2P Port: 1357** **Enable P2P Scan: 1** **P2P Start Scan1: 0.0.0.0** **P2P Start Scan2: 0.0.0.0** **P2P Start Scan3: 0.0.0.0** **P2P Start Scan4: 0.0.0.0** **P2P End Scan1: 0.0.0.0** **P2P End Scan2: 0.0.0.0** **P2P End Scan3: 0.0.0.0** **P2P End Scan4: 0.0.0.0** **Mac Disable: 00:00:00:00:00:00** ----- **EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme** **Targeted Threat Leads to Keylogger via Fake Silverlight Update** **No Shortcuts to Verification: Social Media Verification Phishing Scams Steal Credentials and�** **Credit Card Numbers** **Phishing Actors Take a Cue From Malware-Distributing Brethren** **[Ransomware Survival Guide](https://www.proofpoint.com/us)** **[Threat Reference](https://www.proofpoint.com/us)** **[Proofpoint Blog](https://www.proofpoint.com/us)** **[Threat Insight Blog](https://www.proofpoint.com/us)** **[Events](https://www.proofpoint.com/us)** **[Media Contacts](https://www.proofpoint.com/us)** **About Proofpoint** **Board of** **Directors** **Careers** **Corporate Blog** **[Investors Center](http://investors.proofpoint.com)** **Leadership Team** **News Center** ----- **Threat Insight (blog)** **Upgrade from McAfee** **Webinars** **United** **States** **[United Kingdom](https://www.proofpoint.com/uk)** **[France](https://www.proofpoint.com/fr)** **[Germany](https://www.proofpoint.com/de)** **[Spain](https://www.proofpoint.com/es)** **[Japan](https://www.proofpoint.com/jp)** **[Australia](https://www.proofpoint.com/au)** **© 2017 . All rights reserved.** **Privacy Policy.** -----