ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses
ESET has collaborated with partners Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, and others in an attempt to disrupt known Zloader botnets. ESET contributed to the project by providing technical analysis, statistical information, and known command and control server domain names and IP addresses.
Zloader started life as a banking trojan, but lately evolved to become a distributor of several malware families, including various ransomware families.
The coordinated disruption operation targeted three specific botnets, each one using a different version of the Zloader malware. ESET researchers helped with identification of 65 domains that had been used by these botnet operators recently and that had been taken over for this disruption operation to be effective. On top of that, Zloader bots rely on a backup communication channel that automatically generates unique domain names that can be used to receive commands from their botmasters. This technique, known as a domain generation algorithm (DGA), is used to generate 32 different domains per day, per botnet. To make sure that the botnet operators cannot use this side channel to regain control of their botnets, additional 319 already registered domains generated by this algorithm were taken over and the working group is also taking measures to block registration of DGA domains possibly generated in the future. Microsoft’s investigation also identified Denis Malikov as a co-author of a malicious component used by the operators of one of the botnets.
Zloader is one of the many banking trojan malware families heavily inspired by the famous Zeus banking trojan, whose source code was leaked in 2011. Many research papers have been published about this malware already, with the latest one from Malwarebytes and HYAS being the most detailed from the technical point of view.
This blogpost won’t focus on deep technical aspects of the trojan, but rather will cover the details of its operation and infrastructure.
The first version (220.127.116.11) of Zloader that we were able to find was compiled on November 9th 2019, the same day it was announced and advertised in underground forums under the name “Silent Night”. ESET researchers have been closely monitoring its activity and evolution ever since then, giving us great insight into Zloader’s mode of operation and its infrastructure.
Throughout Zloader’s existence, we have analyzed about 14,000 unique samples via our automatic tracking system, which helped us to discover more than 1,300 unique C&C servers. In March 2020, Zloader implemented a domain generation algorithm (DGA) that allowed us to discover about 300 additional active domains registered by Zloader operators and used as C&C servers.
We have seen a couple of peaks in Zloader’s popularity among threat actors, mainly during its first year of existence, but its use began declining during 2021 with only a couple of actors left using it for their malicious intents. This may, however, change in the future as we have already seen version 2.0 samples in the wild (compiled in July 2021). Our findings show that these were just test builds, but we will be closely monitoring this new activity and its evolution. Due to low prevalence and the nature of this new version, all the following information applies to Zloader version 1.x.
As already mentioned, Zloader, similar to other commodity malware, is being advertised and sold on underground forums. When purchased, affiliates are given all they need to set up their own servers with administration panels and to start building their bots. Affiliates are then responsible for bot distribution and maintaining their botnets.
As you can see in Figure 1, we have observed Zloader infestations and campaigns in many countries with North America being the most targeted.
Zloader has been used by various affiliate groups and each of them has used a different approach for the malware’s distribution, including:
- RIG exploit kit
- COVID-19-themed spam emails with malicious Microsoft Word documents attached
- Variants of a fake invoice spam emails with malicious XLS macros
- Misuse of Google Ads
The development of the latest distribution methods will be covered in the next sections.
Zloader has a modular architecture, downloading and utilizing its modules as needed. Supported Zloader modules are displayed in Table 1 and Table 2.
Table 1. Overview of malicious modules used by Zloader
Loader moduleLoading the core module
Core module (x86)Main functionality for x86 processes
Core module (x64)Main functionality for x64 processes
hvnc32 moduleHidden VNC (x86) for remote PC control
hvnc64 moduleHidden VNC (x64) for remote PC control
Table 2. Legitimate tools abused by Zloader to support its malicious tasks
zlib1.dllUsed to support AitB attacks
libssl.dllUsed to support AitB attacks
certutil.exe (+necessary DLL files)Used to support AitB attacks
sqlite3.dllUsed for processing browser data
Zloader’s first component is a loader that is used to download or load (if already downloaded) the core module. This core module is then responsible for downloading and loading additional modules and performing its own malicious tasks.
Zloader’s notable features are:
- Ability to steal various data from browsers and Microsoft Outlook, steal cryptocurrency wallets
- Keystroke logging
- HiddenVNC support to allow the operator to remotely control compromised systems
- Support for Zeus-like webinjects, form grabbing and form screenshotting
- Arbitrary command execution (e.g., download and execute other malware)
All communication between bots and their C&C servers is performed over HTTP/HTTPS, and regardless of which is used the data is encrypted using RC4. Some of the data is additionally encrypted using an XOR-based algorithm known as “Visual Encrypt”. The RC4 key is unique for each affiliate as described in the next section. Figure 2 shows a bot’s static configuration. It contains a list of up to ten hardcoded C&C URLs along with other important data for communication – such as the botnetID to help the operator easily filter data from different campaigns, the signature for communications verification, etc. A bot’s C&C list can be easily updated by issuing a command from the operator’s administration panel if needed.
If none of the hardcoded servers responds, a Zloader bot can use its DGA as a fallback mechanism. Every day, a list of 32 new domains unique for every affiliate is generated based on the current day retrieved by GetLocalTime function. Generated URLs have the format https://<20_random_lowercase_ASCII_letters>.com/post.php
Botnet infrastructure and affiliates
The RC4 encryption key used in botnet communication is unique for every affiliate and tied to the affiliate’s administration panel installation. This uniqueness gives us the opportunity to cluster Zloader samples and track affiliates’ distribution methods and the evolution of their campaigns.
Since the beginning of our tracking, we have observed more than 25 different RC4 keys. It is worth noting that some of these affiliates were active for a very short period — some of them were probably just testing Zloader’s features. It is also possible that some operators just redeployed their administration panel installation at some point and continued their operation with a new RC4 key. A timeline of notable affiliate activity, as well as various Zloader version release dates, can be seen in Figure 3.
As can be seen in Figure 5, from October 2020, most Zloader activity was due to only two affiliates. We can distinguish them by their RC4 keys – 03d5ae30a0bd934a23b6a7f0756aa504 and [email protected]#hsf23
We cover these two affiliates’ activities in the next two sections.
This affiliate was active under this particular RC4 key starting in June 2020. The first Zloader version it used was 18.104.22.168 and then closely followed the newest version available up until the latest available Zloader version to this date – 22.214.171.124. However, its activity started to decline in the second half of 2021 and we haven’t seen any new activity of this botnet since late November 2021.
One of the most interesting activities of this affiliate is that it used Zloader’s ability to deploy arbitrary payloads to distribute malicious payloads to its bots. Most notably, it spread various ransomware families such as DarkSide, as highlighted by this research from Guidepoint Security. However, the botmaster did not deploy ransomware to all of their bots; they deployed this type of malware mostly on systems belonging to corporate networks. When installed on a system, Zloader gathers various information about the network its compromised host belongs to. This allows botnet operators to pick specific payloads depending on the victim’s network.
This affiliate was spreading their malicious Zloader samples mostly through spam emails with malicious documents attached to them. The Zloader static configuration contains a botnetID, allowing the botmaster to cluster different bots in different sub-botnets. The most prevalent botnetIDs for this affiliate in the last year of its operation were nut and kev.
This operator was also a bit more security aware compared to other Zloader customers and used a tiered architecture for their C&C servers. Typically, a simple proxy script was planted on an often legitimate but compromised website and it was used for tier1 C&C URLs in their bots. This script simply forwards all HTTP/HTTPS traffic from the bot onto the tier2 server, keeping the location of the real administration panel installation secret.
Besides using Zloader as an entry point for ransomware attacks, this affiliate also used Zloader’s adversary-in-the-browser (AitB) capabilities to steal victim information and alter the content of various financial institutions and e-commerce websites based in the USA and Canada.
This affiliate has been using Zloader since its early versions and is still active as of today. Despite the latest available version of Zloader being 126.96.36.199, this affiliate has stuck with version 188.8.131.52 since its release in October 2020. We can only speculate as to the reasons behind this. One hypothesis is that this affiliate did not pay to extend their support coverage for Zloader and thus does not have access to later versions.
The operator of this botnet used to depend solely on C&C domains generated by Zloader’s DGA and did not update their bots with a new C&C list for more than a year, meaning that all hardcoded C&C servers in their bots were inactive for a long time. This changed in November 2021 when this affiliate updated their bots with a list of new C&C servers and also updated the static configuration of newly distributed binaries to reflect this change. This effort was probably motivated by the fear of losing access to their botnet should anyone register and sinkhole all future DGA-generated domains for this actor.
Figure 4 shows the administration panel login page which was installed directly on the C&C server hardcoded in the bot’s static configuration.
Some notable botnetIDs used by this operator were: personal, googleaktualizacija and more recently return, 909222, 9092ti and 9092us.
Through analysis of the webinjects downloaded by the bots in this affiliate botnet, the operator’s interests are very broad. They are apparently interested in gathering victim’s login credentials and other personal data from various financial institution websites (banks, stock trading platforms, etc.), e-commerce sites (such as Amazon, Best Buy, Walmart), cryptocurrency exchanges and even various online platforms such as Google and Microsoft. Particular focus was put on customers of financial institutions from the USA, Canada, Japan, Australia and Germany.
Additional to the login credential harvesting, this affiliate also used Zloader to distribute various malware families such as the infostealer Raccoon.
This threat actor uses various means to spread Zloader with misusing Google Ads and bogus adult sites being their latest distribution methods of choice.
Starting in October 2020, fake adult sites started to push to their visitors malicious payloads posing as a Java update in an MSI package (with filename JavaPlug-in.msi), supposedly required to watch the requested video. This fake Java update package typically contained a downloader that downloaded Zloader itself as the final payload. Since April 2021, this scheme has been enhanced by adding a script to disable Microsoft Defender to further increase the chances of successfully compromising the system.
In June 2021, this affiliate also started to promote packages typically used in corporate environments. When internet users searched for a popular application to download, such as Zoom or TeamViewer, they might have been presented with a fake download site promoted via a Google Ad that tried to trick them into downloading a malicious package posing as the app they were searching for. This distribution method not only installed Zloader but could also install other potentially malicious tools, notably if the compromised system was part of an Active Directory domain. Notorious Cobalt Strike Beacon and Atera Agent were seen to be installed in such cases. These tools could grant the attacker complete control of the compromised system and may result in stealing of sensitive company data, installation of other malware such as ransomware and other malicious activity incurring significant losses for the company.
Figure 5 shows the logic to check if a system belongs to a domain. As seen below, Cobalt Strike Beacon is installed if the list of the system’s trusted domains is non-empty.
The latest iteration of this distribution method relied heavily on the aforementioned Atera Agent, which was usually downloaded from bogus adult sites. An example of what a visitor would see is shown in Figure 6.
Atera Agent is a legitimate “remote monitoring and management” solution used by IT companies to administer their customers’ systems. One of its features – remote script execution – was used in this campaign to deliver Zloader payloads and other malicious helper files. The purpose of these helper files was to support the installation process by executing specific tasks such as privilege escalation, execution of further sample, disabling of Windows Defender, etc.
These tasks were usually achieved via simple BAT files, but it is worth mentioning that attackers also exploited a known digital signature verification vulnerability to use legitimate, signed Windows executable files with malicious VBScripts appended to the end of the file, where the signature section is located (see Figure 7). For the PE file to remain valid, attackers also need to alter the PE header to alter the signature section length and checksum. This alteration of the file’s content does not revoke the validity of its digital signature during the verification process because the modified content is exempted from the verification process. Thus, the file’s new malicious content may therefore stay off the radar. This vulnerability is described, for example, in CVE-2012-0151 or CVE-2013-3900, and also in this blogpost by Check Point Research. Its fix is unfortunately disabled by default in Windows, and therefore, it still can be misused by attackers in a large number of systems.
In the recent campaign, a Ursnif trojan was sometimes installed instead of Zloader, showing that this affiliate group does not rely on a single malware family but has more tricks up its sleeve. A typical scenario of this distribution method is displayed in Figure 8.
We relentlessly continue to track threats that are used to spread ransomware, which is an ongoing threat to internet security. As Zloader is available in underground forums, ESET Researchers will monitor any new activity tied to this malware family, following this disruption operation against its existing botnets.
For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected]
ESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
SHA-1FilenameESET detection nameDescription
4858BC02452A266EA3E1A0DD84A31FA050134FB89092.dllWin32/Kryptik.HNLQ trojanZloader return botnet as downloaded from https://teamworks455[.]com/_country/check.php
us.dllWin32/Kryptik.HODI trojanZloader 9092us botnet as downloaded from https://endoftheendi[.]com/us.dll
462E242EF2E6BAD389DAB845C68DD41493F91C89N/AWin32/Spy.Zbot.ADI trojanUnpacked initial loader component of 9092us botnet.
30D8BA32DAF9E18E9E3CE564FC117A2FAF738405N/AWin32/Spy.Zbot.ADI trojanDownloaded Zloader main core component (x86).
BD989516F902C0B4AFF7BCF32DB511452355D7C5N/AWin64/Spy.Zbot.Q trojanDownloaded Zloader main core component (x64).
E7D7BE1F1FE04F6708EFB8F0F258471D856F8F8FN/AWin32/Hvnc.AO trojanDownloaded Zloader HVNC component (x86).
5AA2F377C73A0E73E7E81A606CA35BC07331EF51N/AWin64/Hvnc.AK trojanDownloaded Zloader HVNC component (x64).
23D38E876772A4E28F1B8B6AAF03E18C7CFE5757auto.batBAT/Agent.PHM trojanScript used by Atera Agent distribution method.
9D3E6B2F91547D891F0716004358A8952479C14Dnew.batBAT/Agent.PHL trojanScript used by Atera Agent distribution method.
33FD41E6FD2CCF3DFB0FCB90EB7F27E5EAB2A0B3new1.batBAT/Shutdown.NKA trojanScript used by Atera Agent distribution method.
5A4E5EE60CB674B2BFCD583EE3641D7825D78221new2.batBAT/Shutdown.NKA trojanScript used by Atera Agent distribution method.
3A80A49EFAAC5D839400E4FB8F803243FB39A513adminpriv.exeWin64/NSudo.A potentially unsafe applicationNSudo tool used for privilege escalation by distribution scripts.
F3B3CF03801527C24F9059F475A9D87E5392DAE9reboot.dllWin32/Agent.ADUM trojanSigned file exploiting CVE-2013-3900 to hide malicious script commands.
A187D9C0B4BDB4D0B5C1D2BDBCB65090DCEE5D8CTeamViewer.msiWin64/TrojanDownloader.Agent.KY trojanMalicious MSI installer containing downloader used to deliver Zloader.
F4879EB2C159C4E73139D1AC5D5C8862AF8F1719tvlauncher.exeWin64/TrojanDownloader.Agent.KY trojanDownloader used to deliver Zloader.
E4274681989347FABB22050A5AD14FE66FFDC00012.exeWin32/Kryptik.HOGN trojanRaccoon infostealer downloaded by Zloader.
FA1DB6808D4B4D58DE6F7798A807DD4BEA5B9BF7racoon.exeWin32/Kryptik.HODI trojanRaccoon infostealer downloaded by Zloader.
Domains and URLs used in distribution
- https://helpdesksupport072089339.servicedesk.atera[.]com/GetAgent/Msi/?customerId=1&[email protected]
- https://helpdesksupport350061558.servicedesk.atera[.]com/GetAgent/Msi/?customerId=1&[email protected]
Latest Zloader C&C servers
URLs used to download arbitrary malware
Domains used in recent Zloader’s Webinjects attacks
MITRE ATT&CK techniques
This table was built using version 10 of the MITRE ATT&CK framework.
Resource DevelopmentT1583.001Acquire Infrastructure: DomainsSeveral domains were acquired to support C&C.
T1583.004Acquire Infrastructure: ServerSeveral servers were used to host Zloader infrastructure.
T1584.004Compromise Infrastructure: ServerSome legitimate websites were compromised to host parts of Zloader infrastructure.
T1587.001Develop Capabilities: MalwareZloader is malware targeting users of the Windows operating system.
T1587.002Develop Capabilities: Code Signing CertificatesSome of the distribution methods use signed malicious binaries.
T1587.003Develop Capabilities: Digital CertificatesDigital certificates are used in HTTPS traffic.
T1588.001Obtain Capabilities: MalwareVarious malware samples are used to distribute Zloader or are distributed by Zloader itself.
T1588.002Obtain Capabilities: ToolVarious legitimate tools and libraries are used to support Zloader tasks.
T1588.006Obtain Capabilities: VulnerabilitiesCVE-2013-3900 is exploited in one of the distribution methods.
Initial Access T1189Drive-by CompromiseGoogle Ads and fake websites are used to lure victims into downloading malicious installers.
Execution T1059.001Command and Scripting Interpreter: PowerShellPowerShell commands are used to support some distribution methods.
T1059.003Command and Scripting Interpreter: Windows Command ShellBatch files are used to support some distribution methods.
T1059.005Command and Scripting Interpreter: Visual BasicVBScript is used to launch main Zloader payload.
T1106Native APIZloader makes heavy use of dynamic Windows API resolution.
T1204.001User Execution: Malicious LinkZloader is commonly distributed through malicious links.
T1204.002User Execution: Malicious FileZloader is commonly distributed via malicious MSI installers.
T1047Windows Management InstrumentationZloader uses WMI to gather various system information.
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderZloader uses registry run key to establish persistence.
Privilege EscalationT1548.002Abuse Elevation Control Mechanism: Bypass User Account ControlSeveral methods are used to bypass UAC mechanisms.
Defense EvasionT1055.001Process Injection: Dynamic-link Library InjectionZloader injects its modules into several processes.
T1140Deobfuscate/Decode Files or InformationZloader stores its modules in an encrypted form to hide their presence.
T1562.001Impair Defenses: Disable or Modify ToolsSome distribution methods disable Windows Defender prior to the installation of Zloader.
T1070.004Indicator Removal on Host: File DeletionSome components of Zloader or its distribution method are removed after successful installation.
T1036.001Masquerading: Invalid Code SignatureSome installers have been signed using invalid certificates to make them seem more legitimate.
T1036.005Masquerading: Match Legitimate Name or LocationSome installers mimic names of legitimate applications.
T1027.002Obfuscated Files or Information: Software PackingZloader’s code is obfuscated and its payload is usually packed.
T1553.004Subvert Trust Controls: Install Root CertificateBrowser certificates are installed to support AitB attack.
Credential AccessT1557Adversary-in-the-MiddleZloader leverages AitB techniques to intercept selected HTTP/HTTPS traffic.
T1555.003Credentials from Password Stores: Credentials from Web BrowsersZloader can gather saved credentials from browsers.
T1056.001Input Capture: KeyloggingZloader can capture keystrokes and send them to its C&C server.
T1539Steal Web Session CookieZloader can gather cookies saved by browsers.
DiscoveryT1482Domain Trust DiscoveryZloader gathers information about domain trust relationships.
T1083File and Directory DiscoveryZloader can search for various documents and cryptocurrency wallets.
T1057Process DiscoveryZloader enumerates running processes.
T1012Query RegistryZloader queries registry keys to gather various system information.
T1518.001Software Discovery: Security Software DiscoveryA WMI command is used to discover installed security software.
T1082System Information DiscoveryZloader gathers various system information and sends it to its C&C.
T1016System Network Configuration DiscoveryNetwork interface information is gathered and sent to the C&C.
T1033System Owner/User DiscoveryUsername is used to generate a botID to identify a system in a botnet.
T1124System Time DiscoveryInformation about the system’s time zone is sent to the C&C.
CollectionT1560.003Archive Collected Data: Archive via Custom MethodZloader uses RC4 and XOR to encrypt data before sending them to the C&C.
T1005Data from Local SystemZloader can collect documents and cryptocurrency wallets.
T1074.001Data Staged: Local Data StagingZloader saves its collected data to file prior to exfiltration.
T1113Screen CaptureZloader has the ability to create screenshots of windows of interest.
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsZloader uses HTTP/HTTPS for C&C communication.
T1568.002Dynamic Resolution: Domain Generation AlgorithmsA DGA is used as a fallback in samples since 2020-03.
T1573.001Encrypted Channel: Symmetric CryptographyRC4 is used for C&C traffic encryption. Some of the data is additionally XOR encrypted.
T1008Fallback ChannelsMultiple C&C servers are usually present in Zloader configurations to avoid relying on just one. A DGA is also implemented.
T1219Remote Access SoftwareHiddenVNC module is used to support remote access.
ExfiltrationT1041Exfiltration Over C2 ChannelZloader exfiltrates gathered data over its C&C communication.
ImpactT1490Inhibit System RecoverySome of the distribution methods disable Windows recovery function through bcdedit.exe.
T1489Service StopSome of the distribution methods disable the Windows Defender service.
T1529System Shutdown/RebootSome of the distribution methods shut down the system after the initial compromise.