{ "id": "5f835eda-2724-4284-acac-ff8703740202", "created_at": "2026-04-06T00:13:26.218031Z", "updated_at": "2026-04-10T03:32:34.635769Z", "deleted_at": null, "sha1_hash": "fca50ee04a9a2b96e57aa3babb6956e4ed9cfc95", "title": "APT Targets Financial Analysts with CVE-2017-0199 | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2459510, "plain_text": "APT Targets Financial Analysts with CVE-2017-0199 | Proofpoint\r\nUS\r\nBy April 27, 2017 Axel F\r\nPublished: 2017-04-27 · Archived: 2026-04-02 12:23:43 UTC\r\nOn April 20, Proofpoint observed a targeted campaign focused on financial analysts working at top global\r\nfinancial firms operating in Russia and neighboring countries. These analysts were linked by their coverage of the\r\ntelecommunications industry, making this targeting very similar to, and likely a continuation of, activity described\r\nin our “In Pursuit of Optical Fibers and Troop Intel” blog. This time, however, attackers opportunistically used\r\nspear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to\r\ndeploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT).\r\nProofpoint is tracking this attacker, believed to operate out of China, as TA459. The actor typically targets Central\r\nAsian countries, Russia, Belarus, Mongolia, and others. TA549 possesses a diverse malware arsenal including\r\nPlugX, NetTraveler, and ZeroT. [1][2][3]\r\nIn this blog, we also document other 2017 activity so far by this attack group, including their distribution of ZeroT\r\nmalware and secondary payloads PCrat/Gh0st.\r\nAnalysis\r\nIn this campaign, attackers used a Microsoft Word document called 0721.doc, which exploits CVE-2017-0199.\r\nThis vulnerability was disclosed and patched days prior to this attack.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 1 of 9\n\nFigure 1: Microsoft Word document 0721.doc\r\nThe document uses the logic flaw to first download the file power.rtf from hxxp://122.9.52[.]215/news/power.rtf.\r\nThe payload is actually an HTML Application (HTA) file, not an RTF document.\r\nFigure 2: The first script downloaded by the exploit document is an HTA file\r\nAs shown in the figure above, the HTA’s VBScript changes the window size and location and then uses\r\nPowerShell to download yet another script: power.ps1. This is a PowerShell script that downloads and runs the\r\nZeroT payload cgi.exe.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 2 of 9\n\nFigure 3: The second script downloaded by the exploit document is a PowerShell script\r\nFigure 4: Combined network traffic showing the document downloading its payloads\r\nZeroT and other payloads\r\nThe attack group has made incremental changes to ZeroT since our last analysis. While they still use RAR SFX\r\nformat for the initial payloads, ZeroT now uses a the legitimate McAfee utility (SHA256\r\n3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe) named mcut.exe instead of the\r\nNorman Safeground AS for sideloading as they have in the past. The encrypted ZeroT payload, named Mctl.mui,\r\nis decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared\r\nto ZeroT payloads we analyzed previously.\r\nOnce ZeroT is running, we observed that the fake User-Agent used in the requests changed from “Mozilla/6.0\r\n(compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)” to “Mozilla/6.0 (compatible; MSIE 11.0; Windows NT\r\n6.2)”, thus removing the “Tzcdrnt” typo observed in previous versions. The initial beacon to index.php changed to\r\nindex.txt but ZeroT still expects an RC4-encrypted response using a static key: “(*^GF(9042\u0026*”.\r\nFigure 5: ZeroT initial beacon over HTTP requesting URL configuration\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 3 of 9\n\nNext, ZeroT uses HTTP beacons to transmit information about the infected system to the command and control\r\n(C\u0026C). All posts are encrypted, unlike the last time we analyzed a sample from this actor, when the first POST\r\nwas accidentally not encrypted. After that, stage 2 payloads are still retrieved as Bitmap (BMP) images that use\r\nLeast Significant Bit (LSB) Steganography to hide the real payloads. These images appear normal in image\r\nviewers.\r\nFigure 6: Collage of example BMP images containing stage 2 payloads hidden using LSB steganography\r\nThe stage 2 payload was PlugX that beaconed to C\u0026C servers www[.]icefirebest[.]com and www[.]icekkk[.]net.\r\nFigure 7: ZeroT and PlugX HTTP network activity\r\nAdditional 2017 activity by TA459\r\nThroughout 2017 we observed this threat actor actively attempting to compromise victims with various malware\r\npayloads. ZeroT remained the primary stage 1 payload, but the stage 2 payloads varied. One such interesting\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 4 of 9\n\nexample was “ПЛАН РЕАЛИЗАЦИИ ПРОЕКТА.rar” (SHA256\r\nb5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda).  Translated from Russian, this file is\r\nnamed “PROJECT REALIZATION PLAN” and contains a compressed .scr executable. This ZeroT executable\r\ncommunicated with the C\u0026C domain www[.]kz-info[.]net and downloaded PlugX as well as an additional\r\nPCRat/Gh0st Trojan which communicated with the www[.]ruvim[.]net C\u0026C server. PCRat/Gh0st is a payload that\r\nwe do not see this group using frequently.\r\nAnother interesting ZeroT sample (SHA256\r\nbc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374) contained the executable 0228.exe\r\nand a decoy document 0228.doc in the RAR SFX archive. Bundling decoy documents is a common tactic by this\r\ngroup. RAR SFX directives are used to display the decoy while the malicious payload is executed. We suspect that\r\nthis specific lure was copied from the news article hxxp://www.cis.minsk[.]by/news.php?id=7557. This article was\r\nabout “73-го заседания Экономического совета СНГ”, translated from Russian as “73rd meeting of the CIS\r\nEconomic Council”, which describes a meeting held in Moscow by the Commonwealth of Independent States\r\n(CIS) countries, an organization that includes nine out of the fifteen former Soviet Republics.\r\nFigure 8: Decoy document\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 5 of 9\n\nFigure 9: The believed source of the text in decoy document\r\nConclusion\r\nTA459 is well-known for targeting organizations in Russia and neighboring countries. However, their strategy,\r\ntactics, techniques, and procedures in this particular attack emphasize the importance of rigorous patching\r\nregimens for all organizations. Even as software vulnerabilities often take a back seat to human exploits and social\r\nengineering, robust defenses must include protection at the email gateway, proactive patch management, and\r\nthoughtful end user education. Paying attention to the details of past attacks is also an important means of\r\npreparing for future attacks. Noting who is targeted, with what malware, and with what types of lures provide\r\nclues with which organizations can improve their security posture.\r\nAt the same time, multinational organizations like the financial services firms targeted here must be acutely aware\r\nof the threats from state-sponsored actors working with sophisticated malware to compromise users and networks.\r\nOngoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas\r\nof research and expertise further complicate an already difficult security situation for organizations dealing with\r\nmore traditional malware threats, phishing campaigns, and socially engineered threats every day.\r\nReferences\r\n[1]https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\n[3]https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests\r\n[3]https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 6 of 9\n\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\na64ea888d412fd406392985358a489955b0f7b27da70ff604e827df86d2ca2aa SHA256\r\n0721.doc CVE-2017-0199\r\nhxxp://122.9.52[.]215/news/power.rtf URL\r\n0721.doc\r\npayload\r\nhxxp://122.9.52[.]215/news/power.ps1 URL\r\n0721.doc\r\npayload\r\nhxxp://www.firesyst[.]net/info/net/sports/drag/cgi.exe URL\r\n0721.doc\r\npayload\r\nbf4b88e42a406aa83def0942207c8358efb880b18928e41d60a2dc59a59973ba SHA256 ZeroT (cgi.exe)\r\nwww.firesyst[.]net Hostname ZeroT C\u0026C\r\nwww.icekkk[.]net Hostname PlugX C\u0026C\r\nIndicators of Compromise (IOCs) - Related\r\nIOC IOC Type Description\r\nwww.kz-info[.]net Hostname ZeroT C\u0026C\r\nwww.firesyst[.]net Hostname ZeroT C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 7 of 9\n\nwww.buleray[.]net Hostname ZeroT C\u0026C\r\nwww.intersu[.]net Hostname ZeroT C\u0026C\r\n868ee879ca843349bfa3d200f858654656ec3c8128113813cd7e481a37dcc61a SHA256 ZeroT\r\n4601133e94c4bc74916a9d96a5bc27cc3125cdc0be7225b2c7d4047f8506b3aa SHA256 ZeroT\r\n5fd61793d498a395861fa263e4438183a3c4e6f1e4f098ac6e97c9d0911327bf SHA256 ZeroT\r\nb5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda SHA256 ZeroT\r\nab4cbfb1468dd6b0f09f6e74ac7f0d31a001d396d8d03f01bceb2e7c917cf565 SHA256 ZeroT\r\n79bd109dc7c35f45b781978436a6c2b98a5df659d09dee658c2daa4f1984a04e SHA256 ZeroT\r\nwww.icekkk[.]net Hostname PlugX C\u0026C\r\nwww.icefirebest[.]com Hostname PlugX C\u0026C\r\nwww.ruvim[.]net Hostname PlugX C\u0026C\r\nET and ETPRO Suricata/Snort Coverage\r\n2821028 | ETPRO TROJAN APT.ZeroT CnC Beacon HTTP POST\r\n2825365 | ETPRO TROJAN APT.ZeroT CnC Beacon Fake User-Agent\r\n2824641 | ETPRO TROJAN APT.ZeroT Receiving Config\r\n2810326 | ETPRO TROJAN PlugX Related Checkin\r\n2024196 | ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential Office Exploit Attempt\r\n2024197 | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 8 of 9\n\n2016922 | ET TROJAN Backdoor family PCRat/Gh0st CnC traffic\r\n2021716 | ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102\r\nSource: https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts" ], "report_names": [ "apt-targets-financial-analysts" ], "threat_actors": [ { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434406, "ts_updated_at": 1775791954, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fca50ee04a9a2b96e57aa3babb6956e4ed9cfc95.pdf", "text": "https://archive.orkl.eu/fca50ee04a9a2b96e57aa3babb6956e4ed9cfc95.txt", "img": "https://archive.orkl.eu/fca50ee04a9a2b96e57aa3babb6956e4ed9cfc95.jpg" } }