eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
In December 2023, the Incident Handling Team responded to an intrusion incident. The investigation faced some challenges due to insufficient visibility and logging, making identifying the precise initial access method challenging. However, there's a potential that the breach occurred through Citrix exploitation, in light of the increased incidents of Citrix vulnerabilities we noted around that period, particularly involving Citrix Bleed (CVE-2023-4966) and related Citrix processes.
The threat actor(s) dropped the following files on one of the affected hosts:
100_x64.ps1 – obfuscated PowerShell script containing the Cobalt Strike payload (the payload connects to 45.152.114.10 (theerealtruthnews[.]com:443/knock.json))
Dns84.exe – Cobalt Strike payload (the payload connects to 225.197.198.102 (dns.newstibulum[.]com/tow))
Stotri.exe – Cobalt Strike payload (the payload connects to newstibulum[.]com)
Stotri.dll – Cobalt Strike payload
GrapheneMatrix.exe – Zloader
In this article, we will focus on analyzing Zloader.
Zloader Malware
In January 2024, Zscaler published a blog discussing the resurgence of Zloader, also known as SilentNight (in Russian “Тихая Ночь”). Zloader is a variant of the Zeus banking trojan that first appeared around 2020 and is capable of delivering additional payloads, including infostealers, hVNC (hidden Virtual Network Computing), and HTTP Grabbers.
Zloader initially verifies that its process is named 'GrapheneMatrix.exe.' If the names do not match, the loader terminates. This technique is used by Zloader to ensure it has not been renamed or tampered with, which might suggest that it is under analysis in a sandbox or by security researchers.
The string decryption function is shown in Figure 1 and relies on XOR.
Figure 1: String decryption
In order to make the analysis process easier, the IDAPython script was written to decrypt the strings. You can access it here.
Zloader injects the payload into the “msiexec.exe” process by initially creating it in a suspended state and allocating 2,101,248 bytes, approximately 2 MB, for the payload. To perform the process injection more stealthily, it uses three direct syscalls to native API functions:
NtAllocateVirtualMemory: allocates memory within the virtual address space of a specified process
NtWriteVirtualMemory: writes data to the previously allocated memory area
NtResumeThread: resumes a thread that has been suspended
Before executing the syscall, the code sets up the appropriate system call number in EAX. In this case, 18 corresponds to the system call number for NtAllocateVirtualMemory in the Windows Native API (Figure 2). The syscall instruction will use the value in EAX to determine which system function to execute in kernel mode. This is an essential part of the process for performing system calls directly from user mode code.
Figure 2: Direct syscalls
The mentioned native APIs are obfuscated through the previously referenced string encryption method.
Zloader calls the API functions dynamically and uses API hashing for the rest of the APIs used in the sample. The API hashing function (Figure 3) computes a hash by iterating over each character of an input string, adjusting its ASCII value by one, and then folding it into an accumulator through repeated multiplication by 16.
This process effectively shifts the accumulating value left by four bits, integrating the character values in a hexadecimal format. The function ensures the result stays within 32 bits using specific bitwise operations and finally combines the accumulator with a predefined seed using bitwise NOT and OR operations to generate a unique hash for the string.
Figure 3: API hashing function
The DLL libraries are referenced by numerical identifiers as indices to dynamically retrieve and decrypt the names of DLL libraries from obfuscated strings (Figure 4).
Figure 4: Numerical identifiers are used to reference specific DLL libraries
Some DLL identifiers and hashing values in the binary go through additional calculations as well within the “mw_num_gen” function to produce the final value (Figure 5). You can access the IDAPython script to comment and resolve the hashes here.
Figure 5: The mw_num_gen function
Zloader encrypts registry data (in our sample, it’s under “HKEY_CURRENT_USER\Software\Microsoft\hcdg”) using an RSA public key, which is subsequently processed by the RC4 encryption function and visual encryption.
This encrypted data includes the path to a duplicate copy of the Zloader payload located under the “AppData\Roaming\” folder (for example, “AppData\Roaming\pfjsqg”). Additionally, the data encapsulates the computer's name, username, the “InstallDate” value retrieved from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, as well as the campaign ID and botnet ID.
Figure 6: Registry data to be encrypted
In one of the samples, we observed different modules being delivered, including Client64.dll, Client32.dll (the module is responsible for setting up reverse connections), HttpGrabber.dll (the module intercepts and manipulates web browser traffic, altering webpage content as needed), SoftwareGrabber.dll, ftp64.dll, Vnc32.dll, and Vnc64.dll (VNC module).
Due to time constraints, our focus will be on particularly noteworthy modules.
SoftwareGrabber module (MD5: bbbc51064235f7a8dc30bfc8ecc59e00) is responsible for extracting browser and cryptowallet data; the decrypted strings are shown in the table below:
The decrypted strings from the FTP module suggest that the module is responsible for interacting with the victim’s FTP server, including exfiltrating data and delivering additional payloads to the server:
The Zloader malware continues to evolve, using techniques like process injection, direct syscalls, and string encryption to evade detection and complicate analysis. Its ability to deliver additional payloads, such as infostealers and VNC modules, highlights its adaptability and the ongoing threat it poses to sensitive data.
Understanding the tactics is important in developing effective countermeasures to protect systems from similar intrusions.
How eSentire is Responding
The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint.
Performing global threat hunts for indicators associated with Zloader.
Developing detection rules for eSentire MDR for Endpoint to identify Zloader activity.
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
Recommendations from eSentire's Threat Response Unit (TRU)
Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of patching and identifying all known vulnerabilities.
MITRE ATT&CK
Tactic
Technique
ID
Description
Execution
Command and Scripting Interpreter
T1059.001
Use of obfuscated PowerShell script (100_x64.ps1)
Execution
Process Injection
T1055
Zloader injects payload into “msiexec.exe” via NtAllocateVirtualMemory, NtWriteVirtualMemory, NtResumeThread API calls
Defense Evasion
Obfuscated Files or Information
T1027
Obfuscation of strings and API calls in Zloader
Defense Evasion
API Function Hooking
T1562.001
Zloader uses direct syscalls to avoid user-mode detection
Credential Access
Input Capture
T1056.004
Zloader delivers infostealers capable of capturing credentials
Command and Control
Encrypted Channel
T1573
Cobalt Strike uses encrypted communication with its command and control servers
Exfiltration
Exfiltration Over Alternative Protocol
T1048.003
FTP-based exfiltration for data and payload delivery
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
