Analysis Summary

In a recent investigation into a new variant of the ZLoader/SilentNight malware, an unknown Powershell backdoor and VBS downloader was discovered. This malware appears to have been used in conjunction with the new ZLoader variant, which the Cybersecurity and Infrastructure Security Agency (CISA) has linked to the BlackBasta group.

Researchers discovered that the Powershell backdoor is designed to facilitate further access through reconnaissance activities and to deploy additional malware samples, including ZLoader. This discovery highlights the evolving tactics of threat actors and the need for continuous vigilance and advanced threat detection mechanisms. ZLoader, also known as Terdot, DELoader, loads the Zeus malware on victim machines after the initial infection. It is a banking trojan. Like other banking trojans, its core capability is to harvest online account credentials for online banking sites (and some other services).

When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with invoice-themed spear phishing malicious documents to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice theme.

The filenames are usually "invoice" or "case" with a special character like ".", "-" or "_" followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods. ZLoader was also found being distributed via malvertising campaigns earlier this September. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June.

Impact

• Credential Theft
• Unauthorized Access
• Financial Loss

Indicators of Compromise

SHA1

• 72a572ce8247f80946e71f637c3403228543d9a3
• 544599ef72cbd97fe50e4169c8401270ff3b917b
• 931b6fd3e7ee5631fbc583640805809d9f2acc58
• 67f36d508ab75441975de3e6325b023401a37d44

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.