Hardware from a Chinese manufacturer has been detected to carry polymorphic advanced persistent malware that would target the shipping and logistics industry.

Researchers at TrapX, a San Mateo, California, security firm, wrote in a report that the malicious code reached the affected companies through the Windows Embedded XP operating system that was available on the hardware of the inventory devices, and it was installed at the manufacturer’s factory in China.

The malware, dubbed “Zombie Zero” and believed to be state-sponsored by TrapX, would also be available in the firmware download on the company’s support website.

The security firm says that the malware would begin its attack immediately after the infected device would be connected to the wireless network and put into production.

It would use the server message block (SMB) protocol through port 135/445 and relied on polymorphism to gain persistence on the attacked systems.

Researchers found that one of the victims whose systems were compromised by Zombie Zero, foiled its attack through SMB thanks to firewall-based network segmentation, but the malware then initiated a second attempt, using the RADMIN protocol on port 4899, which assured its infiltration into more than nine servers.

The threat appears to have a clear mission as it initiates attacks against ERP (enterprise resource planning) servers with specific words in their host name. One such keywords discovered by TrapX is “finance.”

After detecting the financial ERP server, malware would be uploaded from the scanner, in order to establish “a comprehensive command and control connection (CnC) to a Chinese botnet that terminated at the Lanxiang Vocational School located in ‘China Unicom Shandong province network’,” researchers from TrapX write in a report.

The complexity of the operation does not stop at this because a second payload would be downloaded from the botnet, one that would set “a more sophisticated CnC of the company’s finance server.”

With the communication system all set up, the operator behind Zombie Zero would have complete access to the information available on the victim’s network, which included all the details of the worldwide operations of the company (financial data, customer data, detailed shipping and manifest information).

To protect themselves from attacks, shipping and logistics companies install security certificates on the scanning terminals. However, in this case, such an action would be useless because the devices would come compromised straight from the manufacturer.

“Today’s threat actors are smarter than ever morphing their attacks multiple times to achieve the goal of undermining existing security defenses. The next generation of security solutions must be just as adaptable to counter these modern threats,” said David Monahan, Research Director at Enterprise Management Associates to TrapX.
Kepler Reviewed by Kepler on . Inventory Scanners Rigged with Malware for Shipping and Logistics Firms http://i1-news.softpedia-static.com/images/news-700/Inventory-Scanners-Rigged-with-Malware-for-Shipping-and-Logistics-Firms.jpg Hardware from a Chinese manufacturer has been detected to carry polymorphic advanced persistent malware that would target the shipping and logistics industry. Researchers at TrapX, a San Mateo, California, security firm, wrote in a report that the malicious code reached the affected companies through the Windows Embedded XP operating system that was Rating: 5