NIGHT SPIDER’s Zloader trojan has been quietly operating for the last few months at a global scale, conducting an intrusion campaign on a number of enterprises in various industries.

The primary way to install malware was hidden within the legitimate software. For leveraging initial access, attackers used bundled .msi installers. The payloads were aimed at reconnaissance. Despite using the known techniques, the more precise technical specifications of malicious scripts have been renewed again. SOC Prime’s content developers have immediately studied the new malware strains developed by NIGHT SPIDER and created detection rules that identify adversaries’ activity as early as possible.

NIGHT SPIDER Zloader Campaign

The new Sigma-based rule provided by our Threat Bounty developer Sittikorn Sangrattanapitak detects suspicious Night Spider activity for the use of adminpriv.exe utility attempting to manipulate registry values, which has been the adversary behavior pattern during the Zloader Campaign in March 2022.

NIGHT SPIDER Zloader Campaign use adminpriv Manipulate Registry Values (via process creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio, SentinelOne, Microsoft Defender for Endpoint, CrowdStrike, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, AWS OpenSearch.

NIGHT SPIDER Zloader Campaign use adminpriv Manipulate Registry Values (via process creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio, SentinelOne, Microsoft Defender for Endpoint, CrowdStrike, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, AWS OpenSearch.

The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Scripting Interpreter technique.

Additionally, you can check the full list of rules aimed at Zloader Trojan detection that are currently available in the SOC Prime platform. Feel like you have enough expertise in the matter? Then you can share your own detection content with our global community of cyber professionals in the Threat Bounty Program and get recurring rewards for your input.

View Detections Join Threat Bounty

NIGHT SPIDER Zloader Analysis

According to the CrowdStrike inquiry, to execute NIGHT SPIDER’s Zloader trojan, the initial malware installers are pretending to be those using legitimate hashes of widely used software like Zoom, TeamViewer, JavaPlugin, or Brave Browser. Once they run, these installers download automated reconnaissance payloads via Zloader trojan, and in a number of cases, Cobalt Strike.

PowerShell commands were used by the wscript utility to initiate a remote download of the NIGHT SPIDER’s payload. These scripts also utilized PowerShell to evade Microsoft’s AntiMalware Scan Interface and Windows Defender. Next, adminpriv utility helped attackers to change registry values. The payload was decrypted by leveraging the legitimate software’s hash values.

Organizations are striving to detect NIGHT SPIDER’s Zloader trojan and likewise threats as early as possible to avoid significant damage to their systems and networks. Collaborative cyber defense is the fastest and most efficient option for SOC teams that want to stay aware of the most recent detection content without spending too much time and resources for research and development. Explore SOC Prime’s Detection as Code platform to access the highest-quality SIGMA rules along with translations to more than 20 vendor-specific SIEM, EDR, and XDR formats. Accurate and timely detection is key to organizing efficient SOC 24/7/365 while your engineers can take up more advanced tasks.