Threat Research

TRU Malware Analysis: Examining the Zloader Intrusion Case

Esentire

An intrusion in December 2023 involved Zloader (SilentNight), with potential Citrix CVE-2023-4966 exploitation and Cobalt Strike payloads. The malware uses process injection, string encryption, direct syscalls, and registry/data exfiltration to deliver additional payloads. #Zloader #SilentNight #GrapheneMatrix #CobaltStrike #CitrixCVE4966 #PowerShell

Keypoints

  • The December 2023 incident had visibility and logging challenges, complicating the identification of the initial access method.
  • Possible initial access through Citrix exploitation, particularly CVE-2023-4966, noted amid rising Citrix-related incidents.
  • Multiple Cobalt Strike payloads were dropped on a host, including obfuscated PowerShell (100_x64.ps1) and various EXE/DLL payloads.
  • Zloader (aka SilentNight) targets banking data and checks that its process name is GrapheneMatrix.exe to avoid tampering or sandboxing.
  • The malware uses advanced techniques such as process injection into msiexec.exe, direct syscalls, string encryption, and API hashing to hinder analysis.
  • Loaded modules (e.g., Client64.dll, HttpGrabber.dll, SoftwareGrabber.dll, ftp64.dll, Vnc32/64.dll) support data extraction, exfiltration, and remote access capabilities.
  • eSentire TRU is actively developing countermeasures, including NGAV/EDR detection, threat hunts, and endpoint detection rules.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter – “Use of obfuscated PowerShell script (100_x64.ps1)”
  • [T1055] Process Injection – “Zloader injects payload into “msiexec.exe” via NtAllocateVirtualMemory, NtWriteVirtualMemory, NtResumeThread API calls”
  • [T1027] Obfuscated Files or Information – “Obfuscation of strings and API calls in Zloader”
  • [T1562.001] API Function Hooking – “Zloader uses direct syscalls to avoid user-mode detection”
  • [T1056.004] Input Capture – “Zloader delivers infostealers capable of capturing credentials”
  • [T1573] Encrypted Channel – “Cobalt Strike uses encrypted communication with its command and control servers”
  • [T1048.003] Exfiltration Over Alternative Protocol – “FTP-based exfiltration for data and payload delivery”

Indicators of Compromise

  • [IP address] Command and control beacons to these IPs – 45.152.114.10, 225.197.198.102
  • [Domain] Initial and follow-on domains used for payloads – theerealtruthnews[.]com, dns.newstibulum[.]com, newstibulum[.]com
  • [File name] Dropper and payload components – 100_x64.ps1, Dns84.exe, Stotri.exe, Stotri.dll, GrapheneMatrix.exe
  • [File hash] Module integrity for a key component – MD5: bbbc51064235f7a8dc30bfc8ecc59e00

Read more: https://www.esentire.com/blog/the-intrusion-case-involving-zloader