Blog

TRU Malware Analysis: The Intrusion Case Involving Zloader

BY eSentire Threat Response Unit (TRU)

September 11, 2024 | 7 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

In December 2023, the Incident Handling Team responded to an intrusion incident. The investigation faced some challenges due to insufficient visibility and logging, making identifying the precise initial access method challenging. However, there's a potential that the breach occurred through Citrix exploitation, in light of the increased incidents of Citrix vulnerabilities we noted around that period, particularly involving Citrix Bleed (CVE-2023-4966) and related Citrix processes.

The threat actor(s) dropped the following files on one of the affected hosts:

In this article, we will focus on analyzing Zloader.

Zloader Malware

In January 2024, Zscaler published a blog discussing the resurgence of Zloader, also known as SilentNight (in Russian “Тихая Ночь”). Zloader is a variant of the Zeus banking trojan that first appeared around 2020 and is capable of delivering additional payloads, including infostealers, hVNC (hidden Virtual Network Computing), and HTTP Grabbers.

Zloader initially verifies that its process is named 'GrapheneMatrix.exe.' If the names do not match, the loader terminates. This technique is used by Zloader to ensure it has not been renamed or tampered with, which might suggest that it is under analysis in a sandbox or by security researchers.

The string decryption function is shown in Figure 1 and relies on XOR.

Figure 1: String decryption
Figure 1: String decryption 

In order to make the analysis process easier, the IDAPython script was written to decrypt the strings.

Zloader injects the payload into the “msiexec.exe” process by initially creating it in a suspended state and allocating 2,101,248 bytes, approximately 2 MB, for the payload. To perform the process injection more stealthily, it uses three direct syscalls to native API functions:

Before executing the syscall, the code sets up the appropriate system call number in EAX. In this case, 18 corresponds to the system call number for NtAllocateVirtualMemory in the Windows Native API (Figure 2). The syscall instruction will use the value in EAX to determine which system function to execute in kernel mode. This is an essential part of the process for performing system calls directly from user mode code.

Figure 2: Direct syscalls
Figure 2: Direct syscalls 

The mentioned native APIs are obfuscated through the previously referenced string encryption method.

Zloader calls the API functions dynamically and uses API hashing for the rest of the APIs used in the sample. The API hashing function (Figure 3) computes a hash by iterating over each character of an input string, adjusting its ASCII value by one, and then folding it into an accumulator through repeated multiplication by 16.

This process effectively shifts the accumulating value left by four bits, integrating the character values in a hexadecimal format. The function ensures the result stays within 32 bits using specific bitwise operations and finally combines the accumulator with a predefined seed using bitwise NOT and OR operations to generate a unique hash for the string.

Figure 3: API hashing function
Figure 3: API hashing function 

The DLL libraries are referenced by numerical identifiers as indices to dynamically retrieve and decrypt the names of DLL libraries from obfuscated strings (Figure 4).

Figure 4: Numerical identifiers are used to reference specific DLL libraries
Figure 4: Numerical identifiers are used to reference specific DLL libraries 

Some DLL identifiers and hashing values in the binary go through additional calculations as well within the “mw_num_gen” function to produce the final value (Figure 5).

Figure 5: The mw_num_gen function
Figure 5: The mw_num_gen function 

Zloader encrypts registry data (in our sample, it’s under “HKEY_CURRENT_USER\Software\Microsoft\hcdg”) using an RSA public key, which is subsequently processed by the RC4 encryption function and visual encryption.

This encrypted data includes the path to a duplicate copy of the Zloader payload located under the “AppData\Roaming\” folder (for example, “AppData\Roaming\pfjsqg”). Additionally, the data encapsulates the computer's name, username, the “InstallDate” value retrieved from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, as well as the campaign ID and botnet ID.

Figure 6: Registry data to be encrypted
Figure 6: Registry data to be encrypted 

In one of the samples, we observed different modules being delivered, including Client64.dll, Client32.dll (the module is responsible for setting up reverse connections), HttpGrabber.dll (the module intercepts and manipulates web browser traffic, altering webpage content as needed), SoftwareGrabber.dll, ftp64.dll, Vnc32.dll, and Vnc64.dll (VNC module).

Due to time constraints, our focus will be on particularly noteworthy modules.

SoftwareGrabber module (MD5: bbbc51064235f7a8dc30bfc8ecc59e00) is responsible for extracting browser and cryptowallet data; the decrypted strings are shown in the table below:

\Google\Chrome\User Data

Login Data

Bitcoin-Qt

Software\Bitcoin

AES

ChainingModeGCM

ChainingMode

\Google\Chrome\User Data\Local State

Litecoin-Qt

.tmp

wallet_path

Software\monero-project\monero-core-

\Monero\Wallets

File

C:

0:0

S:(ML;;NRNWNX;;;LW)

S:(ML;CIOI;NRNWNX;;;LW)

ntdll.dll

%s

"%s" %s

Dash-Qt

Software\Dash

ntdll.dll

kernel32.dll

%s\tmp_%08x

C:\Program Files\Google\Chrome\Application\chrome.exe

\armory

\electrum\wallets

.wallet

\multibit#-

\exodus\exodus.wallet

\WalletWasabi\Client\Wallets

\atomic\local storage\leveldb

\ethereum\keystore

\jaxx\local storage

\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb

.dat

\zcash

\bytecoin

\Daedalus Mainnet\Local Storage\leveldb

The decrypted strings from the FTP module suggest that the module is responsible for interacting with the victim’s FTP server, including exfiltrating data and delivering additional payloads to the server:

NtProtectVirtualMemory

NtResumeThread

C:\Windows\System32\ntdll.dll

NtCreateThreadEx

ntdll.dll

kernel32.dll

user32.dll

shlwapi.dll

iphlpapi.dll

urlmon.dll

ws2_32.dll

crypt32.dll

shell32.dll

advapi32.dll

gdiplus.dll

gdi32.dll

ole32.dll

psapi.dll

cabinet.dll

imagehlp.dll

netapi32.dll

wtsapi32.dll

mpr.dll

wininet.dll

userenv.dll

bcrypt.dll

dnsapi.dll

ftllib.dll

rpcrt4.dll

winscard.dll

ncrypt.dll

secur32.dll

samlib.dll

winsta.dll

wldap32.dll

version.dll

dxgi.dll

MSIMG32.dll

NtOpenSection

NtOpenProcess

NtCreateUserProcess

NtAllocateVirtualMemory

NtWriteVirtualMemory

NtGetContextThread

NtSetContextThread

{%08X-%04X-%04X-%08X%08X}

|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq

127.0.0.1

331 pretend login accepted

230 fake user logged in

215 FTP

227 Entering Passive Mode (%s,%d,%d)

257 "%S"

550 Path permission error

250 DELE command successful.

550 Permission denied

257 Directory created

250 RMD command successful

350 File Exists

250 RNTO command successful

226 Aborted

550 Could not change directory

250 CWD command successful

200 Type set to I

200 OK

200 PORT command successful

211-FEATURES:

500 command not recognized

221 goodbye

500 command not implemented

150 Opening connection

10/10/2023

%cr%c-r%c-r%c- 1 root root 0 %s %c

226 Transfer Complete

%b %d %Y

%cr%c-r%c-r%c- 1 root root %7u %s

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

150 Opening BINARY mode data connection

RtlGetVersion

S-1-15

550 not a plain file

213 %04d%02d%02d%02d%02d%02d

213 %u

bcdfghklmnpqrstvwxz

aeiouy

br

hr

tr

td

div

h1

h2

h3

h4

h5

h6

li

script

nbsp;

Global\

Local\

/

HTTP/1.1

POST

GET

Connection: close\r\n\

426 Broken pipe

The Zloader malware continues to evolve, using techniques like process injection, direct syscalls, and string encryption to evade detection and complicate analysis. Its ability to deliver additional payloads, such as infostealers and VNC modules, highlights its adaptability and the ongoing threat it poses to sensitive data.

Understanding the tactics is important in developing effective countermeasures to protect systems from similar intrusions.

How eSentire is Responding

The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire's Threat Response Unit (TRU)

MITRE ATT&CK

Tactic

Technique

ID

Description

Execution

Command and Scripting Interpreter

T1059.001

Use of obfuscated PowerShell script (100_x64.ps1)

Execution

Process Injection

T1055

Zloader injects payload into “msiexec.exe” via NtAllocateVirtualMemory, NtWriteVirtualMemory, NtResumeThread API calls

Defense Evasion

Obfuscated Files or Information

T1027

Obfuscation of strings and API calls in Zloader

Defense Evasion

API Function Hooking

T1562.001

Zloader uses direct syscalls to avoid user-mode detection

Credential Access

Input Capture

T1056.004

Zloader delivers infostealers capable of capturing credentials

Command and Control

Encrypted Channel

T1573

Cobalt Strike uses encrypted communication with its command and control servers

Exfiltration

Exfiltration Over Alternative Protocol

T1048.003

FTP-based exfiltration for data and payload delivery

Detection

You can access the detection rules here.

Indicators of Compromise

You can access the indicators of compromise here.

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire