Zloader

Zloader is a banking trojan that uses webinjects and VNC clients to still banking credentials. This Trojan is based on leaked code from 2011, but despite its age, Zloader’s popularity has been only increasing through early 2020, when it relied on COVID-19 themed attacks.

Type
Banking trojan
Origin
Unknown
First seen
1 May, 2016
Last seen
19 October, 2020
Also known as
Terdot
Zbot
DELoader
Global rank
34
Week rank
13
Month rank
11
IOCs
1369

What is Zloader?

Zloader, also known as Terdot and Zbot is a banking trojan. It uses webinjects to steal passwords and auth codes of its victims. The trojan was first spotted in 2016 but it has seen a sudden surge of activity in the winter of 2019, appearing in over 100 email campaigns.

Zloader is constructed using the leaked code of the well-known ZeuS malware. ZeuS code was made public in 2011 and became a base for various malware samples. The fact that its variants are still being used goes to show how effective the original malware was.

General description of Zloader

Researchers first observed Zloader, also known at the time as DELoader, in 2016, when it started attacking Canadian banking organizations. The malware’s name highlights two facts: the letter “Z” shows that it is based on the Zeus Banking Trojan and the word “loader” highlights the malware’s unique design. Zloader makes its way into the machines of the victims using a loader which installs the final payload.

Zloader became quite popular and served as the main tool for several hackers, with TA511 also known as Hancitor being the most acknowledged. After working with Zloader for almost 2 years, Hancitor made a jump to Panda Banker. Others soon followed suit and Zloader became abandoned until 2019, when researchers detected a sudden surge of attacks.

Possibly, attackers pursued the opportunity presented with the confusion that surrounds the COVID crisis, launching a new wave of campaigns in December 2019, with the number of sightings only increasing by March 2020.

Although, previously Zloader focused on finding victims in Canada, starting with 2020 it expanded the geography of operations. The newer campaigns attack financial institutions all over the world, including the US, Australia, and Europe.

The malware uses a technique called web injects to trick victims into revealing their authentication codes. Zloader replaces the banking website of the victim with an identical copy fetched from a custom file so that unsuspecting users give away credentials thinking that they are logging into their bank. In reality, the sensitive information, including auth codes, is sent to the C&C controlled by the attackers.

Additionally, Zloader can fetch information from browsers, accessing cookies and passwords — a standard functionality for banking trojans.

Interestingly, the 2019 version of Zloader is less advanced than its predecessor, seen in 2016. Researchers think that it might be a revision of an older iteration of the malware that lacked some of the sophisticated malicious techniques.

Among the missing features are code obfuscation and string encryption — those are both techniques threat actors use to complicated static analysis of malware by making the code unreadable.

However, that does not mean that Zloader should be taken lightly. It's still a top-level malware and it is highly dangerous.

For example, if attackers manage to get a hold of the credentials, they use a smart technique to log into the account without raising red flags with the bank. The threat actors log in with a virtual network computing client, so all the bank sees is another session from the normal victim’s machine. This way, not only can attackers withdraw money without raising any alarms but proving that the transaction fraudulence is also difficult.

On top of that, the malware still uses some anti-evasion techniques like Command & Control blacklisting and Windows API function hashing, making the analysis more complicated. Another worrying sign is the constant maintenance of Zloader. No less than 18 versions have been seen circulating in the wild from January to March 2020. The malware is being constantly improved.

Zloader malware analysis

We can watch the complete execution process of Zloader in a video recorded in the ANY.RUN interactive malware hunting service.

Zloader process graph

Figure 1: Shows the process graph, automatically created in ANY.RUN

Zloader execution process

Zloader usually makes its way into systems as an executable or as a script file. When entering as a script file, it runs and compiles into the library by wscript process. As an executable file, the malware makes an injection into msiexec.exe process. After that Zloader tries to connect to Command & Control server over HTTPS to download additional modules.

Zloader distribution

Zloader is distributed to victims with malspam. Emails are crafted to look like government notices or financial support offered due to the COVID-19 epidemic. Attached to emails are malicious files, normally with Microsoft Office file extensions, but PDF files were also observed.

When opened, the files ask the victim to enable macros. If users compile, the macros download a loader which establishes a connection with the command and control server and installs the final payload — Zloader.

How to detect Zloader?

Since Zloader creates registry keys with pseudo-random names under HKEY_CURRENT_USER\Software\Microsoft and directories with pseudo-random names inside the %APPDATA% directory. This activity can help analysts detect this malware family. To take a look at the registry changes and created directories just click on the msiexec process and then click on the “More info” button.

Conclusion

Despite being based on code that was leaked no less than 9 years ago, Zloader still poses a massive threat to cybersecurity.

From late 2019, this banking trojan targets financial institutions all around the world with COVID-19 themed attacks. It appeared in over 100 email campaigns after being inactive for nearly 2 years and now wreaks havoc on the banking world, using web-injects and VNC sessions to steal credentials.

Thankfully, using ANY.RUN, researchers can analyze Zloader in a secure online environment and take advantage of our interactive sandbox. With our service, malware hunters can get results on the fly, while still being in control of all simulation variables, saving massive time on dynamic analysis. Studying threats like Zloader is a sure way to develop a sound cybersecurity strategy or prepare an action plan should your organization come under attack.

IOCs

IP addresses
172.67.153.46
142.93.110.250
103.198.0.111
208.100.26.245
58.158.177.102
216.218.185.162
151.101.2.159
44.227.65.245
185.255.135.33
162.255.119.98
195.2.92.64
162.255.119.169
185.74.254.26
178.170.248.82
217.8.117.105
188.187.145.73
162.255.119.83
45.141.103.206
45.89.67.173
195.133.146.24
Hashes
630c8716d8637dfe39ca156251a7caecd0d3290108743681828b299d0ec00343
cf6d6eb9b16c83643e36f68910295199ad789a2af83e7bf8931777896ea224f1
f58946c62ee0e48d263759c223006166fd9565ab2eeac7fda9d3a349824c6c53
cc9dceb78d2d6110d3d5f5009cc6346cdc25554d165363894c47ff14a5a62b41
ff285dbb139fe185f00e1165da71182dedb8ea7a9548581e6aad2492b6df511e
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
0f516188be03be4ca97edb26016e3165a9e82e29db20fc4c34495081879c394c
35cc9403db2b12cb186c02f48fed8ffdeb31fc28de8a7d1192e1158f1039a47e
65ce4d7c14bc5b52e4cc493eeb1bf058b31eddbc7b48dc572121f6fac2f9c131
f8489a87a28e5d12334922821224101292e149cbfce99d2a8c027f537c08761c
0e6244f5a66eec71b8a07ffd8fbecc615e168148690fa7b06b77c4f0fe60359e
ae251738df5c64d1ff59945c089678436eb913f41736344ce2312dae2ef9aa74
c41dab0a665658bbf3683e656dd36c703e12d4b3e0c0c2b4438494477e1a0a64
aa15dcae6420ee9b09c8ce7538690a88439f2377e915f72dc0a8c43f2d649401
ed5a59696fe2fcd084fdc134d7e11dec847ce7899e957dcd43c62d8ff129bf74
75075889cfc6b20dae13534b3affb95d35731fc457b277bd3ed4288cdf74b2d3
9464215afdbcd9b54eeb372bf64f18f513849c6f5d40c0b8a7291aac309f6bc4
e97feae192044a82a2ac47d9083dcc9836370fbc58781bb7e8e8625339164f66
d8738f33ba1654a057acd0afa83cd1fad5dc0e2edee6e9c381dbf1f6bb0eb44a
a77dd89d4436b5a2bdb7ef73bbd6869cca4a06307f66854a842219cadc5761dd
Domains
cookieinfoscript.com
isns.net
bount.com.tw
majul.com
wixlabs-wix-faq-11.appspot.com
ortus-dot-yamm-track.appspot.com
afs-prod.appspot.com
elx01.knas.systems
back-to-top.appspot.com
q8wr4q18w4.com
zonamovie21.net
aeoughaoheguaoehdw.top
aeufuaehfiuehfuhfw.top
aeifaeifhutuhuhusw.top
rzhsudhugugfugugsh.co
gameofthrones.ddns.net
thunder-winbecome.ddns.net
secure.dropinbox.pw
marchadvertisingnetwork5.com
nethosttalk.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More