Malware Hidden in Chinese Scanners Targeted Shipping and Logistics Firms
The supply chain attack, dubbed “Zombie Zero,” was identified by security researchers from TrapX, a cybersecurity firm in San Mateo, California, who wrote about it in a report released Thursday.
TrapX hasn’t named the Chinese manufacturer, but said that the malware was implanted in physical scanners shipped to customers, as well as in the Windows XP Embedded firmware available for download on the manufacturer’s website.
The malware was designed to launch attacks using the SMB (Server Message Block) protocol and the Radmin remote control protocol when the infected inventory scanner was connected to a company’s wireless network. It then looked for ERP (enterprise resource planning) servers with the word “finance” in their names and used known exploits to compromise them, said Carl Wright, executive vice president and general manager of TrapX.
According to the TrapX researchers, once an ERP server is found and compromised, the malware installs a second-stage component that connects to command-and-control server at the Lanxiang Vocational School in China’s Shandong province. The researchers noted in their report that the Lanxiang Vocational School has been linked in the past to cyberespionage attacks against Google and other companies as part of a campaign called Operation Aurora.
The second-stage component downloads a third and more sophisticated payload that establishes a separate connection to a facility in Beijing.
The malware’s goal is to steal corporate financial and customer data from ERP servers, as well shipping manifest information, the TrapX researchers said.