ZLoader Loads Again: New ZLoader Variant Returns

guest · May 21, 2020

Silent Night Banking Trojan Charges Top Dollar on the Underground
May 21, 2020
https://threatpost.com/silent-night-banking-trojan/155981/

A descendant of the infamous Zeus banking trojan, dubbed Silent Night by the malware’s author, has emerged on the scene, with a host of functionalities available in a spendy malware-as-a-service (MaaS) model.

Custom builds can run as much as $4,000 per month to use, which researchers say is now placing the code out of the range of any but large cybercriminal groups looking to mount mass campaigns.

“The price tag is steep, especially for the Russian audience [to whom it is marketed], where 500 USD is an average rent for a small 1 bedroom apartment in the outskirts of Moscow,” Malwarebytes researchers said.
Silent Night is advertised with a host of features, according to a Thursday analysis from Malwarebytes.
Infection Routine Links to Terdot
Interestingly, Malwarebytes researchers found that there are several code overlaps with another Zeus variant known as Terdot [...]

“[...] We don’t have enough data to say if the author of Silent Night was previously involved in developing Terdot, or just got inspiration from it. What we can say is that not all similarities among those two come from the common ancestor, Zeus.”
Click to expand...

Attribution
Silent Night was announced on November 9 in a Russian-language underground forum, according to the analysis, being sold by a threat actor going by the handle “Axe.”
He also said that he went off of previous development experience with another banking trojan (likely one known as “Axebot,” according to Malwarebytes).

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code,” researchers wrote. “
Click to expand...

Malwarebytes: Shining a light on “Silent Night” Zloader/Zbot

guest · May 22, 2020

ZLoader banking malware is back, deployed in over 100 campaigns
May 22, 2020
https://www.bleepingcomputer.com/ne...lware-is-back-deployed-in-over-100-campaigns/

A banking malware called ZLoader, last seen in early 2018, has been spotted in more than 100 email campaigns since the beginning of the year.

The trojan is under active development with 25 versions seen in the wild since its comeback in December 2019, the latest one observed this month.
Lighter on advanced features
Researchers at Proofpoint note in a report today that the ZLoader distributed this way is different from the original variant observed between 2016 and 2018. They believe the new version is a fork of the previous one.
Multiple actors are currently spreading this strain in at least one malicious email campaign per day. They’re using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader.

The current variant lacks some advanced features seen in its predecessor. For instance, code obfuscation and string encryption are missing. Despite this, it still poses a significant threat.
Click to expand...

ZLoader is also known as Zeus Sphinx, Terdot, and DELoader. It is variant of the infamous Zeus used by a major theft ring to steal tens of millions of dollars before they were caught in 2010.
Back in the days, Zeus had a price tag between $3000 and $4000 and was the top malware used by criminals specializing in financial fraud.
Click to expand...

Proofpoint: ZLoader Loads Again: New ZLoader Variant Returns

ZLoader, a variant of the infamous Zeus banking malware, has been around since 2006. It is a typical banking malware that makes use of webinjects to steal credentials and other private information from users of targeted financial institutions. The malware can also steal passwords and cookies stored in victim’s web browsers.
Conclusion
This post has analyzed the latest Zeus banking malware variant and some of the campaigns we have seen spreading it. It uses typical banking malware functionality such as webinjects, password and cookie theft, and access to devices via VNC to steal credentials, personally identifiable information, and ultimately money from targets.
Click to expand...

Minimalist · May 23, 2020

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.
Click to expand...

https://securityaffairs.co/wordpress/103662/malware/silent-night-botnet-underground.html

guest · Jul 14, 2021

New Zloader malware technique makes it harder to spot phishing emails
The novel distribution technique involves sending Word documents that may bypass conventional malware scanning
July 9, 2021
https://www.itpro.co.uk/security/ma...hrough-attachments-without-any-malicious-code

Hackers have been discovered using a new phishing technique that involves using a sequence of chained commands to hide malicious content and make email attachments appear harmless to filters.

The technique involves send a phishing email containing a seemingly innocuous Microsoft Word attachment, according to McAfee. Once opened, it triggers a chain of events that eventually downloads the payload for the infamous banking and data exfiltration malware, known as Zloader.
The fact that the document isn't embedded with any malicious code will make it easier for phishing emails to bypass initial checks and malware scanners.
Click to expand...

Once the macro is formed and ready, it modifies a RegKey to disable trust access for VBA on the victim’s device in order to execute the malicious function without any Microsoft Office warnings. After writing macro contents to the Excel file, and disabling trust access, a function from the newly written excel VBA is called which downloads the Zloader payload.

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload,” McAfee’s researchers Kiran Raj and Kishan N wrote.
Click to expand...

McAfee: Zloader With a New Infection Technique

Threat Summary

The initial attack vector is a phishing email with a Microsoft Word document attachment.

Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.

The Word document Visual Basic for Applications (VBA) reads the cell contents of the downloaded XLS file and writes into the XLS VBA as macros.

Once the macros are written to the downloaded XLS file, the Word document sets the policy in the registry to Disable Excel Macro Warning and calls the malicious macro function dynamically from the Excel file,

This results in the downloading of the Zloader payload. The Zloader payload is then executed by rundll32.exe.

Click to expand...

guest · Jan 5, 2022

Microsoft code-sign check bypassed to drop Zloader malware
January 5, 2022

A new Zloader campaign exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries.

The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it's still going strong, according to Check Point researchers who have spotted it.
Click to expand...

Abusing Atera remote management software
In the most recent campaign, tracked and analyzed by researchers at Check Point, the infection begins with delivering a "Java.msi" file that's a modified installer of Atera.
It is unclear how the threat actors tricked the victims into downloading the malicious file, but it could be through cracks found on pirated software resources or spear-phishing emails.
Dropping Zloader
The batch scripts included in the malicious installer perform some user-level checks to ensure they have admin privileges, add folder exclusions to Windows Defender, and disable tools such as "cmd.exe" and the task manager.
Click to expand...

Microsoft code-signing checks bypassed
Check Point analysts have confirmed that the appContast.dll, which executes the Zloader payload and the registry-editing script carries a valid code signature, so the OS essentially trusts it.

The analysts compared the modified DLL with the original one (Atera's) and found slight modifications in the checksum and the signature size.
These subtle changes aren't enough to revoke the validity of the e-signature, but at the same time, allow someone to append data onto the signature section of a file.
Click to expand...

Microsoft has known about this security gap since 2012 (CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151) and has attempted to fix it by releasing increasingly stricter file verification policies. However, for some reason, these remain disabled by default.
You can find instructions on fixing this issue yourself by enabling stricter policies as detailed in this legacy advisory.

Alternatively, you may paste the lines below into Notepad, save the file with the .reg extension and run it. [...]
Click to expand...

Checkpoint Research: Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk

Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection
chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult sites and Google ads to infect systems.
Evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote
management software (RMM) to gain initial access to the target machine.

The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.
Click to expand...

hawki · Apr 13, 2022

"Microsoft disrupts Zloader malware in global operation

A months-long global operation led by Microsoft's Digital Crimes Unit (DCU) has taken down dozens of domains used as command-and-control (C2) servers by the notorious ZLoader botnet.

The court order obtained by Microsoft allowed it to sinkhole 65 hardcoded domains used by the ZLoader cybercrime gang to control the botnet and another 319 domains registered using the domain generation algorithm used to create fallback and backup communication channels..."

https://www.bleepingcomputer.com/ne...disrupts-zloader-malware-in-global-operation/

Rasheed187 · Apr 24, 2022

mood said: ↑

Microsoft code-sign check bypassed to drop Zloader malware
January 5, 2022

Checkpoint Research: Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Click to expand...

These attacks using forged digital signatures are becoming a big problem and seems it's able to bypass Win Defender? That's why it's never a good idea to rely only on AV's, I keep saying this.

Log in or Sign up

ZLoader Loads Again: New ZLoader Variant Returns

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

hawki Registered Member

Rasheed187 Registered Member

Log in or Sign up

ZLoader Loads Again: New ZLoader Variant Returns

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

hawki Registered Member

Rasheed187 Registered Member

Useful Searches