Analysis Summary

ZLoader is also known as Terdot, DELoader, which loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, Its core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with invoice-themed spear phishing malicious documents, to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice theme. The filenames are usually "invoice" or "case" with a special character like ".", "-" or "_" followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods, it was also found to be distributed via malvertising campaigns in September 2021. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June

Impact

• Credential Theft
• Financial Theft
• Data Exfiltration

Indicators of Compromise

MD5

• 78e71640501a87b729650b536645dfb9

SHA-256

• 165a4a88942253500f82ef8b81c04ee228c6432581ff3747813e8a4a7d8ec1a3

SHA1

• 1b3ccf24c686ad6419840969103fce3b47c9d82d

URL

• https://syracuse.best/wp-data.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.