Analysis Summary

ZLoader is also known as Terdot, DELoader, which loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, Its core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with invoice-themed spear phishing malicious documents, to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice theme. The filenames are usually "invoice" or "case" with a special character like ".", "-" or "_" followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods, it was also found to be distributed via malvertising campaigns in September 2021. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June

Impact

• Credential Theft
• Financial Theft
• Data Exfiltration

Indicators of Compromise

MD5

• 1f168ac4f678476e493552e65995ae1a
• 4414a7af27f8a26b48af7f3dd4259b40
• 09874cbb134851ff3b971960916ce5bb

SHA-256

• c42f5a5dd598b693fbe399ee2373e90ff0316935e923a81b39c4700fef60e0ea
• 97179aa99e2c4d95d226268057774f5431b0763497b7000fe683c91a70a61071
• 74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533

SHA1

• 592dc08e825b709ce6659b6fe0e0115f3b3c07c4
• 67f733252b3973d6b33594f6e9f6e107597ae23d
• 42d32698f9513024f024eb6d1efcd9532ac1f622

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.