Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Chinese Backdoor Zegost Delivered Via Hacking Team Exploit

October 16, 2015 - 4 min read


Zscaler ThreatLabZ has been closely monitoring the usage of Hacking Team's leaked exploits in the wild since July, 2015 and recently uncovered the Emissary Panda APT attack leveraging these exploits. In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family.

Attack Chain

The infection cycle starts with a legitimate Chinese real estate and shopping site www[.]kongquechang[.]com, which appears to have been compromised by the attackers and contains an injected script. The injected script will cause a series of redirects leading to Hacking Team's exploit payload as seen in Figure 1. The majority of users were led to the original compromised site following a Baidu search.
Figure 1: Compromised Chinese real estate & shopping site
The site www[.]kongquecheng[.]com is still infected but the exploit server appears to be down at the time of writing this blog. Attackers are abusing the Chinese URL shortening service t.cn to redirect victims to the attack server and also Baidu's URL shortening service dwz.cn to deliver the Adobe Flash exploit payload as seen below:
Figure 2: Zegost Backdoor Attack Chain
The Flash exploit payload (CVE-2015-5119) involved here is from the Hacking Team's leaked archive with updated shellcode. Upon successful exploitation, the embedded shellcode will trigger the download and execution of the Zegost executable from a predetermined location.
Figure 3: Hacking Team's Adobe Flash Exploit
Figure 4: Embedded shellcode to download & install Zegost

Zegost Payload Iterations

During the course of our monitoring we observed the attackers switch the malware payload multiple times.

Payload Type #1 - APT RAT like Zegost Installer



The Zegost payload was being delivered as part of an installer archive, which is similar in structure to the APT RAT PlugX and HttpBrowser as detailed here. The downloaded installer was svhost.exe, which has following file structure:
Figure 5: APT RAT like Zegost installer archive
The Zegost installer is responsible for dropping the above three files and running the legitimate Ping_Master_Pro utility DATA.exe. The legitimate binary contains the data.dll in the import table, ensuring that the DLL will be loaded before it runs. The data.dll that gets loaded in this case, will be a fake VirtualBox display driver DLL file present in the same directory and it will patch the entry point of the main executable (DATA.exe) file with a jump instruction to run the DLL’s code instead. This technique is also known as DLL Hijacking which ensures that the fake display driver DLL gets loaded by abusing the Windows DLL load order. The DLL’s code is responsible for decrypting and running the Zegost Backdoor payload from the fafentuqiang.png file in the same memory space of the benign executable.

We observed a bug in the persistence module for this payload, which resulted in an incorrect path getting added to the registry entry created by the malware. The result was that upon system reboot the user's machine will no longer be infected with the Backdoor Trojan.

Payload Type #2 - Vanilla Zegost



A modified Zegost payload was being delivered in decrypted form abandoning the installer archive structure. This payload was recently compiled and purports to be a XLLuaRuntime Dynamic Link Library file as seen below:
Figure 6: Recently compiled Zegost payload
Figure 7: Zegost payload file meta data
During our analysis we noticed that the persistence issue that existed in the previous iteration was resolved in this payload and the malware successfully remained active upon system reboot.

Zegost Infection Cycle

  • Zegost Trojan drops a copy of itself in the Windows system directory as %SYSTEMDIR%\Autoexec.exe
  • It creates the following registry key to ensure persistence upon system reboot:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Nobug = %SYSTEMDIR%\Autoexec.exe
  • We also saw an alternate code for achieving persistence by registering a new Windows Service:
ServiceName - DirectX dwx
DisplayName - DirectX Remover auy for Windows(R).
ImagePath - %SYSTEMDIR%\Autoexec.exe
  • The Trojan reports the infected system information to a predetermined remote server at the following location:
Domain - www[.]svshot[.]com
Server IP - 123.57.54[.]57
Server Port - 8999
  • The Command & Control server domain used in this attack was recently registered and points to a dedicated server hosted on the shady Chinese autonomous system - AS37963 (CNNIC-ALIBABA-CN-NET-AP) as seen below:
Figure 8: Command & Control server hosted in China
The same server is also used for the initial Adobe Flash exploitation attempt.


Hacking Team's exploit payloads remain a popular choice among cyber criminals for weaponizing their payloads. This is the first instance of the Zegost Backdoor Trojan being delivered using Hacking Team's exploit. The Zegost Backdoor payload iterations we observed in this attack chain indicates that the author is testing out new payloads.

Zscaler’s ThreatLabZ has confirmed coverage for these exploits and for the Zegost variants, ensuring protection for organizations using Zscaler’s Internet security platform.

Research by: Deepen Desai, Amandeep Kumar
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.