Threat Research

Unidentified PowerShell Backdoor Linked to Emerging Zloader Threat

Securonix

Researchers uncovered a new variant of Zloader/SilentNight that includes an unknown PowerShell backdoor and a VB downloader, potentially deployed alongside Zloader and linked to BlackBasta. CISA attributes the variant to BlackBasta and notes recon-capable activity intended to deploy additional malware. #Zloader #SilentNight #BlackBasta #PowerShell #VBSDownloader #AgilDotNet #CISA

Keypoints

  • New variant of Zloader/SilentNight discovered, featuring a PowerShell backdoor and a VB downloader.
  • Powershell backdoor enables recon activity and deployment of additional malware samples, including Zloader.
  • CISA links the new Zloader variant to BlackBasta.
  • Samples include packed .NET binaries, unpacked via AgilDotNet.
  • PowerShell script uses hardcoded filenames and performs checks; on failure, it uninstalls previous data; on success, it sets up install paths, VB downloader, and scheduled tasks.
  • Obfuscated sections resemble JSF**k for PowerShell with anti-VM checks and data gathering functionality.
  • IOCs include SHA-256 hashes of the malware samples and related indicators such as compromised domains and C2 traffic patterns.

MITRE Techniques

  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘Utilizes HTTP for command and control communication.’)
  • [T1059] Execution – Brief description of how it was used. Quote relevant content using bracket (‘Employs Powershell scripts for execution of commands.’)
  • [T1547] Persistence – Brief description of how it was used. Quote relevant content using bracket (‘Creates scheduled tasks to maintain persistence.’)
  • [T1003] Credential Access – Brief description of how it was used. Quote relevant content using bracket (‘Attempts to gather user credentials and system information.’)
  • [T1119] Data Collection – Brief description of how it was used. Quote relevant content using bracket (‘Collects system information and installed programs.’)

Indicators of Compromise

  • [SHA-256] context – 66a69d992a82681ee1d971cc2b810dd4b58c3cfd8b4506b3d62fe1e7421fb90b, b513c6940ed32766e1ac544fc547b1cb53bc95eced5b5bcc140d7c6dce377afb, and 2 more hashes
  • [Domain] context – msfw.store, mamore.live, and 6 more domains
  • [HTTP Authorization header] Bearer token – Bearer 56e620b9e45120dfd1c534aee0b10c9eb3fc3948e7564cda3313a2ed456706e8
  • [File name] context – Uninstall_Ahl.exe, Uninstall_Ahl.vbs

Read more: https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint