Zloader Campaigns at a Glance

September 29, 2021

Zloader Campaigns at a Glance Infographic View infographic: Zloader Campaigns at a Glance

The ZBOT (aka Zeus) trojan has been one of the most prolific and enduring malware families of the past 20 years. After its first appearance in 2006, its source code was leaked in 2011, leading to a plethora of new variants that plagued organizations over the succeeding years.

One of the most notable recent ZBOT variants is Zloader. First compiled under the name Silent Night in late 2019, it has evolved from being an information stealer to a multipurpose dropper that provides malicious actors the means to install and execute other malware and tools such as Cobalt Strike, DarkSide, and Ryuk. In addition, it has other capabilities, such as the ability to provide remote access to attackers and install plug-ins for additional routines.

Zloader has multiple delivery methods, such as via email campaigns or downloads by other malware and hacking tools. One of the most basic yet reliable methods for individuals and organizations to avoid being infected by Zloader and other malware with similar arrival techniques is to apply security best practices to their emails. This includes avoiding downloading attachments or selecting links from emails that look suspicious or appear to be out of context.

Zloader’s versatility has made it a popular and effective campaign tool for any threat actor that is willing to pay for it. We already witnessed this in past campaigns — some of which took advantage of current events such as the Covid-19 pandemic — and we can expect to see it again in future campaigns from other threat actors.

Organizations can mitigate the impact of Zloader by employing robust security solutions and services. Trend Micro’s robust native XDR capabilities are tied together by Trend Micro Vision One™, which connects email, endpoints, servers, cloud workloads, and networks in order to provide a better context and perspective of the entire chain of events of an attack, while also allowing security personnel to investigate and act from a single place.

Furthermore, managed security services, such as Trend Micro™ Managed XDR, provides expert threat monitoring, correlation, and analysis from experienced cybersecurity professionals via a single and capable source of detection, analysis, and response. This expertise is further bolstered by AI-optimized, Trend Micro solutions that draw from global threat intelligence.

MITRE ATT&CK techniques

Zloader uses the following tactics and techniques, as mapped out according to the MITRE ATT&CK Matrix.

TacticMITRE ID and TechniqueDetails
Initial AccessT1189 - Drive-by CompromiseZloader can be downloaded through drive-by compromise via Malsmoke, RIG Exploit Kit, and Spelevo
T1566 - PhishingZloader can arrive via phishing emails with attached XLS downloader files
ExecutionT1204 - User ExecutionUser can execute the XLS Zloader downloader file manually
T1064 - Scripting Zloader can be downloaded by VBS or Javascripts
T1059 -Command and Scripting Interpreter
T1106 - Native APIZloader hooks native API from user32.dll and ntdll.dll to redirect execution to Zloader DLL
PersistenceT1060 - Registry Run Keys/Startup FolderCreates persistence using the following registry: HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
T1547- Boot or Logon Autostart Execution
Privilege EscalationT1055 - Process InjectionZloader injects its loader or core component to msiexec.exe
Defense EvasionT1027 - Obfuscated files or informationInstead of presenting arithmetic functions in a standardized manner and directly hardcoding constants, Zloader tries to confuse the analyst by obfuscating these in a form of various, dedicated functions
T1140 – Deobfuscate/ Decode Files or InformationZloader performs XOR to decode obfuscated strings and information
T1497 - Virtualization/ Sandbox EvasionZloader downloader scripts check if it is running in a virtual environment and will not execute properly if it is
Credential AccessT1056 - Input CaptureZloader captures keystrokes on browsers
T1539 - Steal Web Session CookieZloader steals cookies from Chrome, Firefox, and Internet Explorer
DiscoveryT1083 - File and Directory DiscoveryZloader steals cookies by discovering files from specific directories like \Mozilla\Firefox\Profiles
T1012 - Query Registry
CollectionT1185 - Man in the BrowserZloader has to install its own (fake) certificate, and has to run a local proxy before deploying a Man-In-TheBrowser (MITB) attack
T1179 - Hooking
Command & ControlT1001 - Data ObfuscationC2 is encrypted via RC4 and XORing algorithm where each character of the string is XORed with the preceding character which was already XORed
T1090 - ProxyZloader components injected into browsers are responsible for redirecting traffic via proxy
T1071- Application Layer ProtocolThe following commands are accepted:

user_execute - download an executable into the %TEMP% folder and run it (optionally with parameters)

user_cookies_get - steal cookies from all known browsers

user_url_block - block URL access for the current user

bot_uninstall - complete removal of the bot from the current user

user_password_get – steal passwords from targeted browsers

user_files_get – search and upload documents of the victims (.txt, docx,, .xls, .wallet.dat)
T1219 - Remote Access SoftwareZloader downloads and executes VNC tool to control victim machine
ExfiltrationT1041 - Exfiltration Over C&C ChannelData collected by Zloader, such as stolen cookies, screenshot, and process list, are exfiltrated to C&C server

Indicators of Compromise

The IOCs for Zloader can be found in this appendix.

HIDE
Zloader Campaigns at a Glance Infographic

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.