The campaign was revealed on Thursday, the same day that US secretary of state John Kerry, visiting China, condemned the country's cyber attacks for having a “chilling effect” on innovation and investment”.
In its report on the zero-day, TrapX said weaponised malware was pre-installed on handheld scanners and software at a Chinese supplier's factory, then sent to seven shipping and logistics firms and one manufacturing company, in order to infiltrate their corporate ERP servers and steal financial data.
The “highly sophisticated” malware was embedded in the Windows XP operating system installed on the scanner and also on the Chinese manufacturer's support website.
TrapX said the handheld scanner in question is used by “many shipping and logistic companies around the world” to check items being loaded on and off vehicles such as ships, trucks or planes.
In the attack that first alerted TrapX to Zombie Zero, as soon as the victim used the scanner to send data via an exterior wireless network to its main server, the malware attacked the corporate network, targeting any servers that had the word ‘finance' in their host name.
“The attack successfully located the ERP financial server via automated means and compromised it,” TrapX said. “Exfiltration of all financial data and ERP data was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company's worldwide operations.”
The malware successfully bypassed the victim company's firewall, IPS, IDS and mail-gateway security. TrapX also warned: “The customer installed security certificates on the scanner devices for network authentication. But because APT malware from the manufacturer was already installed in the devices, the certificates were completely compromised.”
The company in question had 48 scanners from the Chinese supplier, 16 of which were infected with the malware.
TrapX suspects Zombie Zero is a Chinese ‘nation state' malware campaign because its command-and-control server is located at the Lanxiang Vocational School, within the China Unicom Shandong province network.
TrapX says the Lanxiang School was implicated in the Operation AURORA attacks against Google two years ago which were linked to the Chinese People's Liberation Army. The Chinese scanner manufacturer is also located a few streets away from the Lanxiang School.
Zombie Zero is the latest in a series of suspected Chinese attacks on commercial and political targets in the West, and has emerged at the same time as John Kerry was meeting the Chinese president and vice premier, declaring: "Instances of cyber theft have harmed our business and threatened our nation's competitiveness."