Technical Analysis of Zloader Updates

MITRE Techniques

• [T1059] Command and Scripting Interpreter – Zloader’s interactive shell allows execution of commands, deploying payloads and running shellcode (“interactive shell commands allow a threat actor to execute commands, deploy second-stage malware payloads, run shellcode”).
• [T1005] Data from Local System – Exfiltration capabilities are supported via the shell (“…as well as identify and terminate specific processes” and “exfiltrate data”).
• [T1105] Ingress Tool Transfer – Zloader supports deploying second-stage payloads via its interactive shell (“deploy second-stage malware payloads”).
• [T1078] Valid Accounts (credential use for LDAP) – LDAP functions used for network discovery and lateral movement indicate use of directory access and potential credential use (“ldap_bind_s authenticates and binds to the LDAP server”).
• [T1218] Signed Binary Proxy Execution (Indicator: filename checks) – Use of specific expected filenames and addition of Updater.exe/Updater.dll to control execution environments (“previously expected to be run with a specific hardcoded filename… two generic filenames are Updater.exe and Updater.dll”).
• [T1498] Network Denial of Service (evasion via protocol blending) – Use of WebSockets and blending with legitimate web traffic to evade detection (“introduced WebSockets… designed to further blend in with legitimate web-based traffic to bypass network-based detections”).
• [T1041] Exfiltration Over C2 Channel – Custom DNS tunneling and encrypted channels used to send/receive payloads and exfiltrate data (“Zloader DNS tunnel header… payloads use VisualEncrypt + RC4 + RSA”).
• [T1573] Encrypted Channel – Zloader uses custom Base32 + XOR encryption for DNS C2 and layered encryption (VisualEncrypt + RC4 + RSA) for payloads (“replaces TLS… with Base32 encoding layered on top of a custom encryption algorithm” and “payload is first encrypted using the Zeus VisualEncrypt algorithm, followed by RC4 and RSA”).