Request a Demo
Rewterz
Rewterz Threat Alert – AZORult Malware – Active IOCs
March 26, 2021
Rewterz
Rewterz Threat Advisory – CVE-2021-1879 – Zero-day Exploit in Apple Devices Gets an Urgent Patch
March 29, 2021

Rewterz Threat Alert – ZLoader using Zoho Docs – IoCs

Severity

High

Analysis Summary

ZLoader is found being distributed via malspam campaigns. Some of these campaigns are using the Zoho Docs platform to host their malware. ZLoader is a banking trojan that is found distributed from time to time. Zoho Docs is an Online Document Management system where you can store all your files securely in a centralized location and can access them from anywhere and from any device. You can upload, store, create, edit, share, and view any type of file like documents, spreadsheets, presentations, pictures, music, videos, etc.

Impact

  • Unauthorized Code Execution
  • Credential Theft
  • Financial Theft
  • Data Exfiltration

Indicators of Compromise

Domain Name

  • svilapp[.]svgipsar[.]org
  • nadar-gis[.]com
  • denatureedutech[.]com
  • dainikjahan[.]com
  • crown-sign[.]com
  • crearqarquitectos[.]com
  • alekllemtilaro[.]tk
  • electrabeautytools[.]com

MD5

  • ee92d3d603247217f74e60ca6178e8d1
  • 4209e752839b142cc328261ba570b0d2
  • bb4d1959e6a7850a556ebadf69d18508
  • 1da1b1f1037bacd1fe8e017a5d52e727
  • 7cffa259bf22590169d7375a7c05f7f4

SHA-256

  • 95b19f6107e6ed6af9b335d7ceed88a77ec8cb3864b09d70b6ea2f6ca9c13e9a
  • 6df88e26b94be01b9a7abcd8473f74b9ea7278282421da4bf7dbffa6a53a2a58
  • 61be79c9e47ad894006907c544c0a2d606d8d69c95298ffc5861f20c4b87769e
  • 3787d90c7fa9f7b2803b904476eff287d4f59d1fe550f248250e84ca8885065f
  • 026003b17c48b67cbd3714c48a0d482275a74f135f3dc27077b5af4564921f88

SHA1

  • f40cf6c3a5ab0f61dd6e280ab03ed6f1e490c8df
  • 275a712c823e2a5935145c418d2fe2abe38d2eba
  • c4a940aa768e97da36393a899775ff7172f66274
  • b9b6463219a19632299c5e0fb76715753b6ddd0e
  • fa9858ffbb67bf8e62d32f4cf637d1509ccfea6c

URL

  • https[:]//svilapp[.]svgipsar[.]org/post[.]php
  • https[:]//nadar-gis[.]com/post[.]php
  • https[:]//crearqarquitectos[.]com/post[.]php
  • https[:]//docs[.]zoho[.]com/downloaddocument[.]do?docId=2nv9ead08316da05c4cfc968b5f38672cb40b

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails. 
  • Do not click on links given in untrusted emails or on untrusted public websites, even if they look legitimate.