RootKit module of ZxShell RAT used by Emissary Panda (APT27), of which there is a relatively recent sample.
This rootkit is a very simple, it does not employ any uber fancy methods or something. The name of the driver is “autochk.sys” – that’s why we’ll call it the autochk rootkit.
The rootkit implements 2 functionalities:
File Redirection – Redirect malicious files to benign files. If you try to call CreateFile() to open a malicious file you’ll get a handle to a benign file.
Network Connection Hiding – Hide network connections from tools like netstat.