What is the Zegost Trojan Horse?

The Zegost Trojan Horse is a malicious software that has been in circulation since approximately 2011. Known for the persistence and ingenuity of its associated threat actors, Zegost utilizes various exploits to establish and maintain connections with its targeted victims.

How does Zegost operate?

Zegost employs sophisticated data collection processes to achieve its objectives. It begins by identifying the operating system version, processor details, and running processes of the targeted machine, sending this information to its command-and-control (C2) server. The malware also checks network connections, RDP port numbers, and QQ messenger login details, relaying the collected data to the C2 servers. Additionally, Zegost records keystrokes, posing a significant threat to sensitive user data entered via the keyboard.

Zegost evades detection on infected computers

To evade detection, Zegost exhibits distinctive features, including actively clearing event logs (Application, Security, and System) and launching processes, setting it apart from typical infostealers. The Trojan demonstrates the ability to operate with both visible and hidden windows, ensuring persistence through automatic service launch and registry key manipulation.

The evolution of Zegost over the years includes the integration of COM programming, an uncommon strategy in malware. Its multifaceted spying capabilities extend to capturing video through the device's webcam, employing the DirectShow capture filter for device enumeration. The malware also detects sandbox environments, enhancing its evasion tactics.

Victims of a Zegost infection may face serious consequences, as the meticulous data collection, including keystrokes and sensitive system details, puts user privacy at significant risk. With the ability to capture video through webcams, Zegost further invades users' personal space. The advanced evasion tactics of the malware not only make detection challenging but also contribute to potential long-term damage to the affected computer, including compromised security, increased susceptibility to identity theft, and an overall loss of control over the digital environment.

Zegost typically infiltrates computers through targeted email attacks, indicating a deliberate and focused strategy by threat actors. In these attacks, the malware is often concealed within seemingly innocuous email attachments or links, exploiting the recipients' trust to gain access to their systems. Malvertising, where attackers inject malicious code into online advertisements, and social engineering schemes, such as fake software updates or fraudulent alerts, are additional methods employed to trick users into executing the malware.

How to avoid Zegost and remove it from your computer

To avoid the installation of malware like Zegost, users can enhance their computer's protection by maintaining updated and reputable antivirus software. Caution should be exercised when interacting with emails, avoiding clicking on suspicious links or downloading attachments from unknown sources. Users should only download software from official and trusted sources, steering clear of third-party websites that may harbor malicious content. Keeping the operating system and all installed software up to date with the latest security patches is equally important, as is avoiding interaction with suspicious ads and pop-ups.

If there is a suspicion of a computer being infected, running a scan with a trusted anti-malware program is recommended to automatically eliminate infiltrated malware.