Keypoints
- Zloader variant requires the filename to be IonPulse.exe before executing.
- The binary uses API hashing and minimal imports to hinder static analysis.
- It opens and reads ntdll.dll (via CreateFileA/ReadFile), copies it into allocated memory, and adjusts protections with VirtualProtect.
- Adversaries prepare process parameters (RtlInitUnicodeString / RtlCreateProcessParametersEx) and invoke NtCreateUserProcess via syscall to launch msiexec.exe.
- Payload is written into msiexec.exe using NtWriteVirtualMemory syscall, memory protections are set to execute, and thread context APIs (NtGetContextThread / NtSetContextThread / NtResumeThread) are used to hijack execution.
- Wininet.dll and ws2_32.dll are loaded to enable C2 communication; a self-copy is placed in %AppData%Roaming and persistence is added via the Run registry.
MITRE Techniques
- [T1036.005] Match Legitimate Name – Ensures execution only with a specific filename (‘only runs with the filename “IonPulse.exe”’).
- [T1027] Obfuscated Files or Information – Uses few import functions and obfuscation to evade analysis (‘Zloader had very few Import functions and it was obfuscated’).
- [T1106] Native API – Uses direct syscalls and native NT APIs (NtCreateUserProcess) instead of higher-level Win32 calls (‘make use of Associated syscall to NtCreateUserProcess to run msiexec.exe’).
- [T1055] Process Injection – Writes payload into msiexec.exe and hijacks its thread context to execute injected code (‘Syscall to Write into msiexec.exe’ and ‘NtGetContextThread, NtSetContextThread and NtResumeThread’).
- [T1218] Signed Binary Proxy Execution – Launches and abuses msiexec.exe as a legitimate host to run malicious code (‘msiexec.exe starts connecting to C2’).
- [T1547.001] Registry Run Keys / Startup Folder – Achieves persistence by adding an entry to the Run registry (‘Persistence is ensured through the Run registry’).
Indicators of Compromise
- [FileName] malware executable – IonPulse.exe
- [File Hash] sample SHA-1 (or provided hash) – 71C72AD0DA3AF2FCA53A729EF977F344
- [File Path] self-copy location – %AppData%Roaming (self copy)
- [Process] injected/host process – msiexec.exe (targeted for injection and C2 connectivity)
Zloader performs an initial filename check and exits unless the executed filename matches IonPulse.exe. After this gate, the loader resolves APIs via hashing and obtains a handle to ntdll.dll using CreateFileA, then copies ntdll into newly allocated memory (VirtualAlloc) and adjusts memory protections with VirtualProtect to prepare a local, writable/executable ntdll image.
The malware builds process parameters using RtlInitUnicodeString and RtlCreateProcessParametersEx, then invokes the native syscall NtCreateUserProcess to launch msiexec.exe. It allocates memory in the target, uses NtWriteVirtualMemory (syscall) to write the payload into msiexec.exe, flips protections to executable, and manipulates thread context via NtGetContextThread, NtSetContextThread, and NtResumeThread to hijack execution. After injection, it loads wininet.dll and ws2_32.dll to enable C2 communication, makes a self-copy to %AppData%Roaming, and creates a Run registry entry for persistence.
These behaviors demonstrate syscall-based evasion (using native NT syscalls rather than Win32 wrappers), local mapping of a copied ntdll image for API resolution, RunPE-style injection into msiexec.exe, and registry-based persistence; detection should focus on unusual ntdll reads/copies, direct Nt* syscalls performing process creation or memory writes, and unexpected msiexec.exe network activity.
Read more: https://labs.k7computing.com/index.php/zloader-strikes-back/