Detection Content: Malspam Downloads Zloader Malware

Zloader Trojan (also known as Zeus Sphinx and Terdot) was initially spotted in August 2015. It is based on the Zeus v2 Trojan’s leaked source code and cybercriminals used it in attacks on financial organizations across the globe collecting sensitive data via web injections. In early 2018, the use of this banking Trojan in the wild faded away, but in December last year, attackers started using it again, and since then, researchers have already discovered 25 fresh versions of Zloader.

Researchers at Proofpoint spotted 100+ campaigns since January 2020 that were targeted at users in the United States, Canada, Germany, Poland, and Australia. Adversaries use different fraudulent email lures, but for the last two months, they give pride of place to COVID-19 scam prevention tips, COVID-19 testing, and invoices. The new version of the trojan is less sophisticated as code obfuscation and string encryption are missing, as well as a few other advanced features the Trojan had in 2018. Recently released community Sigma rule by Emir Erdogan helps your security solution to discover Zloader malware with the help of sysmon logs: https://tdm.socprime.com/tdm/info/5cHnCBKKeran/JIz1O3IB1-hfOQiruE6_/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Defense Evasion, Discovery

Techniques: Modify Registry (T1112), Query Registry (T1012)

More rules to detect this malware:

XLS Document Downloads Zloader DLL by Emir Erdogan – https://tdm.socprime.com/tdm/info/U1w6N3V5W0qp/gIuyY3EB1-hfOQirb7GH/

Zloader RAT detection by Ariel Millahuel – https://tdm.socprime.com/tdm/info/Q9ZPnPI9b4Wp/issm7XABTfY1LRoX-JWS/

Terdot Trojan by Ariel Millahuel – https://tdm.socprime.com/tdm/info/1qk1Yy70eMpg/NQkXu3EBAq_xcQY4296O/