TrapX Discovers New Malware – ‘Zombie Zero’

Herbstlaub-virus-screenshot

Shipping and logistics operations across the public and private sectors are now faced with a new kind of cyber threat. Highly sophisticated, polymorphic advanced persistent malware dubbed “Zombie Zero” is targeting the shipping and logistics industry across the globe. Weaponized malware was delivered into shipping and logistics enterprise environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped or transported in and out many countries. TrapX, a cybersecurity and threat intelligence provider discovered the malware through forensic analysis.

The malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer’s location in China and could also be downloaded from the Chinese manufacturer’s support website. A variant of this malware was also sold and delivered with the same hardware product to a large manufacturing company as well as to seven other identified customers of this hardware product worldwide.

TrapX discovered the attack through its honeypot system. Unlike traditional honeypots TrapX creates almost a sensor network of honeypots. Once an attacker hits one, it spins up a fake version of what the attacker is looking for, and triggers all of the other honeypots to do the same. Then, the system draws the attacker into a quarantined sandbox for observation. “Once we give them what we want, we watch what they do and track information like hostnames. That information gets added to signature lists, block host lists, and allows us to reconfigure firewalls accordingly. This approach allows us to catch and discover the zero days, unlike just monitoring against existing attack signatures,” explains Carl Wright, General Manager of North America, for TrapX in an interview with CivSource.

With Zombie Zero once the scanner was attached to the wireless network and put into production, it immediately began an automated attack of the corporate environment using the server message block protocol. Interestingly, not even existing security protocols may work with malware like this. The shipping and logistics target installed security certificates on its scanner devices for network authentication, but because the devices were already infected with the advanced persistent malware from the manufacturer, the certificates were completely compromised.

“With this kind of malware, what’s really troubling is how we will have to handle it. The public sector already has a hardware scanning, certification and accreditation process in place before new technology gets introduced to a system. However, for the private sector to implement something like this it’s very expensive, and it’s going to slow down the ability to use technology, ramp up processes. This could be a very big problem for the private sector,” Wright adds.

The ultimate culprit for the attack was well-known. The scanned data (origin, destination, contents, value, to, from, etc.) were copied and sent out to an established comprehensive command and control connection (CnC) to a Chinese botnet that was terminated at the Lanxiang Vocational School located in the “China Unicom Shandong province network”. The Lanxiang Vocational School has been linked to on-line attacks of Google and implicated in the Operation AURORA attack. The Chinese scanner manufacturer is located blocks away from the Lanxiang Vocational School.

Cybercriminals were given detailed access to corporate financial data, customer data, detailed shipping and manifest information.

“Another part to this is that the incident rate of attack is going up, but the number of Level 3 security professionals to monitor, defend and combat is not. It’s creating an asymmetric warfare situation that favors the attackers. We’re having to out spend to deal with the issue, and that’s not a winning proposition. Until we can square this, we won’t be able to gain the advantage we need,” Wright said.