Severity
High
Analysis Summary
ZLoader is also known as Terdot, DELoader, which loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, Its core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with invoice-themed spear phishing malicious documents, to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice theme. The filenames are usually "invoice" or "case" with a special character like ".", "-" or "_" followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods, it was also found to be distributed via malvertising campaigns in September 2021. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June
Impact
- Credential Theft
- Financial Theft
- Data Exfiltration
Indicators of Compromise
MD5
- 78e71640501a87b729650b536645dfb9
SHA-256
- 165a4a88942253500f82ef8b81c04ee228c6432581ff3747813e8a4a7d8ec1a3
SHA1
- 1b3ccf24c686ad6419840969103fce3b47c9d82d
URL
- https://syracuse.best/wp-data.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.