Detecting Zloader Campaigns
Table of contents:
Notorious Zloader banking Trojan is back with a brand new attack routine and evasive capabilities. Latest Zloader campaigns leverage a new infection vector switching from spam and phishing to malicious Google ads. Furthermore, a sophisticated mechanism to disable Microsoft Defender modules helps Zloader to fly under the radar.
According to the researchers, the latest shift in capabilities allowed Zloader to benefit from the ransomware-as-a-service (RaaS) programs. On September 22, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) alerted about a significant increase in Conti ransomware infections, with Zloader infrastructure being used as a primary distribution channel.
What is Zloader Malware?
Zloader, also known as Tredot, is a malicious successor of the infamous Zeus banking Trojan operating in the wild since 2006. After Zeus source code was leaked in 2011, a batch of variants spread over the malicious arena, with Zloader being one of the most prolific samples.
Initially, the malware acted as a fully functional banking malware, targeting financial organizations across Australia, Europe, North and South America. The info stealing capabilities were powered by web injections and social engineering tricks to harvest login credentials and other sensitive information from unsuspecting victims.
Zloader evolved over time to act as a multipurpose dropper enhanced with backdoor and remote access capabilities. During the last years multiple malicious campaigns were observed to deliver such samples as Cobalt Strike, DarkSide, Ryuk, Egregor, and Conti. Consequently, Trojan earned a strong reputation among ransomware affiliates and other hacking collectives as a malware dropper.
Zloader Infection Chain and Evasive Capabilities
A recent inquiry by SentinelLabs details the new attack routine adopted by Zloader maintainers. Particularly, threat actors step aside from traditional spam and phishing in favor of malicious Google ads. Researchers spot Microsoft’s TeamViewer, Zoom, and Discord lures being used to push Zloader.
Microsoft also points to this new Zloader trend detailing that malicious Google ads link victims to fraudulent web pages that allegedly host legitimate software. However, these websites push malicious MSI installers that deliver ZLoader payloads to victims. Such installers leverage backdoored binaries and a set of LOLBAS to overcome the protections.
To add legitimacy to the malicious code, Zloader operators registered a fraudulent company to cryptographically sign the installers. Starting from August 2021, SentinelLabs researchers observe binaries signed with a valid certificate produced by Flyintellect Inc, a software company located in Canada.
In addition to the novel delivery methods, Zloader incorporated a mechanism to disable Microsoft Defender Antivirus (formerly known as Windows Defender). Particularly, the new Zloader payload execution chain includes several stages. MSI installer acts as a first-stage dropper that creates a dedicated directory to drop a .BAT file. Further, this file is launched with the help of Windows cmd.exe function to download a second-stage downloader. This loader initiates the third stage pushing the “updatescript.bat.” script that disables Microsoft Defender routines and hides the malware from antivirus. Simultaneously, it downloads the fourth stage dropper in a form of “tim.exe” that finally loads the Zloader DLL as “tim.dll.”
It is worth noting that the new infection chain relies on a complex infrastructure to proceed with the attacks. Particularly, threat actors use the Tim botnet that incorporates over 350 different web domains registered during April-August 2021.
Zloader Detection
All the innovations to the Zloader infrastructure and attack routine point to the growing sophistication of the malware capabilities, with particular emphasis on stealthy infections. To detect possible attacks against your company infrastructure, you can download a set of Sigma rules developed by our Threat Bounty developers.
Microsoft 365 Defender Hunting Queries ZLoader Campaigns
Hunting New Zloader Infection Chain by Modifying the Exclusion of Windows Defender AV
ZLoader Botnet Persistence Detection
The full list of detections available in Threat Detection Marketplace repository of the SOC Prime platform is available here.
Register to the SOC Prime platform to make threat detection easier, faster, and simpler. Instantly hunt for the latest threats within 20+ supported SIEM & XDR technologies, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals to boost your security operations. Eager to craft your own detection content? Join our Threat Bounty program, share your Sigma and Yara rules in the Threat Detection Marketplace repository, and get recurrent rewards for your individual contribution!