Sophisticated malware is going on handheld scanners to target shipping and logistics organizations and the manufacturing sector.
The attack, called “Zombie Zero,” has undergone analysis by cybersecurity solutions provider TrapX, a company formerly known as CyberSense.
The attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they’re handling, said researchers at TrapX.
While the operation appears to be focusing on the shipping and logistics industry, TrapX said the malware is also going out to organizations in the manufacturing sector.
The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices. Additionally, the threat also goes out via the company’s support website, the security firm said in its report.
The scanners transmit the data they collect (origin, destination, value, contents, etc.) via the customer’s wireless network. Once the customer starts using the device, the malware immediately sends this information back to a command and control (C&C) server located in China.
The C&C server is at the Lanxiang Vocational School, an educational institution involved in the Operation Aurora attacks against Google, and physically located only one block away from the scanner manufacturer, TrapX said.
The sophistication level of the malware used by the Zombie Zero attackers is very high and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim ended up infected, and the malware managed to penetrate the targeted organization’s defenses and gain access to servers on the corporate network. The companies that use the scanners install security certificates for network authentication, but the certificates end up compromised because the malware is already present on the device.
Researchers found the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company’s finance servers, enabling the attackers to exfiltrate the information they’re after.