Threat Research

OverWatch Uncovers Ongoing NIGHT SPIDER Zloader Campaign

Securonix

OverWatch tracked a widespread intrusion campaign that used bundled .msi installers masquerading as legitimate software to download and execute NIGHT SPIDER’s Zloader trojan (and in some cases, Cobalt Strike). The defenders focused on anomalous behavior, low-prevalence indicators, and timing to rapidly detect and alert affected customers. #NIGHTSPIDER #Zloader #OverWatch #CrowdStrike #CobaltStrike

Keypoints

  • Adversaries used bundled .msi installers masquerading as legitimate apps (Zoom, Atera, NetSupport Manager, Brave Browser, JavaPlugin, TeamViewer) to deploy malicious scripts and download Zloader.
  • PowerShell and Windows-native utilities (including Mshta) were used to beacon, download payloads, and evade defenses.
  • Defenses were targeted with AMSI bypass attempts, and registry modification tools (adminpriv.exe) were employed to manipulate security settings and registry values.
  • MSIEXEC was used in an unusual manner to manipulate registry entries, suggesting process abuse.
  • A GPG-based decryption step was used to decrypt a payload (e.g., zoom.dll) with a sleeper script involved (Sleeper.vbs).
  • The operation sometimes included Cobalt Strike as part of the toolkit in certain instances of the campaign.
  • Three pillars—Behavior, Prevalence, and Timing—were central to OverWatch’s rapid assessment and early warning to victim organizations.

MITRE Techniques

  • [T1036] Masquerading – The initial installers were masquerading as legitimate Zoom, Atera, NetSupport, Brave Browser, JavaPlugin and TeamViewer installers, but the programs were also packaged with malicious scripts and payloads to perform automated reconnaissance and download the Zloader trojan. “The initial installers were masquerading as legitimate Zoom, Atera, NetSupport, Brave Browser, JavaPlugin and TeamViewer installers, but the programs were also packaged with malicious scripts and payloads to perform automated reconnaissance and download the Zloader trojan”
  • [T1059.001] PowerShell – The Microsoft Windows command or wscript utility used PowerShell to beacon to the internet and remotely download a payload. “The Microsoft Windows command or wscript utility used PowerShell to beacon to the internet and remotely download a payload.”
  • [T1105] Ingress Tool Transfer – The downloaded payloads were remotely downloaded from a remote source. “remotely download additional malicious payloads”
  • [T1218.005] Mshta – The scripts used the Windows-native Mshta utility or PowerShell to impair Windows Defender. “The scripts used the Windows-native Mshta utility or PowerShell to impair Windows Defender.”
  • [T1562.001] Impair Defenses – AMSI bypass attempts via PowerShell. “The scripts used PowerShell in an attempt to bypass Microsoft’s AntiMalware Scan Interface (AMSI).”
  • [T1112] Modify Registry – Adminpriv.exe was used to manipulate registry values. “The adminpriv.exe utility was used in an attempt to manipulate registry values.”
  • [T1112] Modify Registry – MSIEXEC was used in an unusual manner to manipulate registry entries that would suggest process abuse. “MSIEXEC was used in an unusual manner to manipulate registry entries that would suggest process abuse.”
  • [T1140] Deobfuscate/Decode Files or Information – A script was used to decrypt a payload using GPG software. “…R C:… GNUGnuPGgpg2.exe … -d C:Users[REDACTED]AppDataRoamingzoom.dll.gpg”

Indicators of Compromise

  • [Process] Launcher.exe – 1 example of a process involved in executing malicious scripts and downloading payloads. Launcher.exe executing malicious scripts, remotely downloading additional payloads.
  • [File] zoom.dll – 1 example of a decrypted payload file name used during execution. zoom.dll and related path / zoom.dll.gpg.
  • [File] Sleeper.vbs – 1 example script used to introduce a sleep delay and decrypt payload. “Sleeper.vbs”
  • [File] adminpriv.exe – 1 example of a tool used to manipulate registry values. adminpriv.exe -U:T … reg add …
  • [File] gpg2.exe – 1 example of a GPG tool used to decrypt a payload. … GNUGnuPGgpg2.exe … -d …
  • [File] mshta.exe – 1 example of a Windows utility used in defense evasion. The “Mshta” utility (mshta.exe).
  • [Registry] HKLMSoftwarePoliciesMicrosoftWindows DefenderUX Configuration – 1 example of a registry modification attempt. reg add “HKLMSoftwarePoliciesMicrosoftWindows DefenderUX Configuration”
  • [Directory/Path] C:UsersUserAppDataRoaming – 1 example of a user roaming directory involved in decryption/extraction. “C:Users[User]AppDataRoaming…”
  • [MSI] .msi – 1 example of installers used to bundle malicious payloads. bundled .msi installers masking as legitimate software.
  • [File/Executable] Zoom, Atera, NetSupport Manager, Brave Browser, JavaPlugin, TeamViewer – 1–2 examples of legitimate installers used as lures.

Read more: https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/