Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In December 2023, the Incident Handling Team responded to an intrusion incident. The investigation faced some challenges due to insufficient visibility and logging, making identifying the precise initial access method challenging. However, there's a potential that the breach occurred through Citrix exploitation, in light of the increased incidents of Citrix vulnerabilities we noted around that period, particularly involving Citrix Bleed (CVE-2023-4966) and related Citrix processes.
The threat actor(s) dropped the following files on one of the affected hosts:
In this article, we will focus on analyzing Zloader.
In January 2024, Zscaler published a blog discussing the resurgence of Zloader, also known as SilentNight (in Russian “Тихая Ночь”). Zloader is a variant of the Zeus banking trojan that first appeared around 2020 and is capable of delivering additional payloads, including infostealers, hVNC (hidden Virtual Network Computing), and HTTP Grabbers.
Zloader initially verifies that its process is named 'GrapheneMatrix.exe.' If the names do not match, the loader terminates. This technique is used by Zloader to ensure it has not been renamed or tampered with, which might suggest that it is under analysis in a sandbox or by security researchers.
The string decryption function is shown in Figure 1 and relies on XOR.
In order to make the analysis process easier, the IDAPython script was written to decrypt the strings.
Zloader injects the payload into the “msiexec.exe” process by initially creating it in a suspended state and allocating 2,101,248 bytes, approximately 2 MB, for the payload. To perform the process injection more stealthily, it uses three direct syscalls to native API functions:
Before executing the syscall, the code sets up the appropriate system call number in EAX. In this case, 18 corresponds to the system call number for NtAllocateVirtualMemory in the Windows Native API (Figure 2). The syscall instruction will use the value in EAX to determine which system function to execute in kernel mode. This is an essential part of the process for performing system calls directly from user mode code.
The mentioned native APIs are obfuscated through the previously referenced string encryption method.
Zloader calls the API functions dynamically and uses API hashing for the rest of the APIs used in the sample. The API hashing function (Figure 3) computes a hash by iterating over each character of an input string, adjusting its ASCII value by one, and then folding it into an accumulator through repeated multiplication by 16.
This process effectively shifts the accumulating value left by four bits, integrating the character values in a hexadecimal format. The function ensures the result stays within 32 bits using specific bitwise operations and finally combines the accumulator with a predefined seed using bitwise NOT and OR operations to generate a unique hash for the string.
The DLL libraries are referenced by numerical identifiers as indices to dynamically retrieve and decrypt the names of DLL libraries from obfuscated strings (Figure 4).
Some DLL identifiers and hashing values in the binary go through additional calculations as well within the “mw_num_gen” function to produce the final value (Figure 5).
Zloader encrypts registry data (in our sample, it’s under “HKEY_CURRENT_USER\Software\Microsoft\hcdg”) using an RSA public key, which is subsequently processed by the RC4 encryption function and visual encryption.
This encrypted data includes the path to a duplicate copy of the Zloader payload located under the “AppData\Roaming\” folder (for example, “AppData\Roaming\pfjsqg”). Additionally, the data encapsulates the computer's name, username, the “InstallDate” value retrieved from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, as well as the campaign ID and botnet ID.
In one of the samples, we observed different modules being delivered, including Client64.dll, Client32.dll (the module is responsible for setting up reverse connections), HttpGrabber.dll (the module intercepts and manipulates web browser traffic, altering webpage content as needed), SoftwareGrabber.dll, ftp64.dll, Vnc32.dll, and Vnc64.dll (VNC module).
Due to time constraints, our focus will be on particularly noteworthy modules.
SoftwareGrabber module (MD5: bbbc51064235f7a8dc30bfc8ecc59e00) is responsible for extracting browser and cryptowallet data; the decrypted strings are shown in the table below:
\Google\Chrome\User Data |
Login Data |
Bitcoin-Qt |
Software\Bitcoin |
AES |
ChainingModeGCM |
ChainingMode |
\Google\Chrome\User Data\Local State |
Litecoin-Qt |
.tmp |
wallet_path |
Software\monero-project\monero-core- |
\Monero\Wallets |
File |
C: |
0:0 |
S:(ML;;NRNWNX;;;LW) |
S:(ML;CIOI;NRNWNX;;;LW) |
ntdll.dll |
%s |
"%s" %s |
Dash-Qt |
Software\Dash |
ntdll.dll |
kernel32.dll |
%s\tmp_%08x |
C:\Program Files\Google\Chrome\Application\chrome.exe |
\armory |
\electrum\wallets |
.wallet |
\multibit#- |
\exodus\exodus.wallet |
\WalletWasabi\Client\Wallets |
\atomic\local storage\leveldb |
\ethereum\keystore |
\jaxx\local storage |
\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb |
.dat |
\zcash |
\bytecoin |
\Daedalus Mainnet\Local Storage\leveldb |
The decrypted strings from the FTP module suggest that the module is responsible for interacting with the victim’s FTP server, including exfiltrating data and delivering additional payloads to the server:
NtProtectVirtualMemory |
NtResumeThread |
C:\Windows\System32\ntdll.dll |
NtCreateThreadEx |
ntdll.dll |
kernel32.dll |
user32.dll |
shlwapi.dll |
iphlpapi.dll |
urlmon.dll |
ws2_32.dll |
crypt32.dll |
shell32.dll |
advapi32.dll |
gdiplus.dll |
gdi32.dll |
ole32.dll |
psapi.dll |
cabinet.dll |
imagehlp.dll |
netapi32.dll |
wtsapi32.dll |
mpr.dll |
wininet.dll |
userenv.dll |
bcrypt.dll |
dnsapi.dll |
ftllib.dll |
rpcrt4.dll |
winscard.dll |
ncrypt.dll |
secur32.dll |
samlib.dll |
winsta.dll |
wldap32.dll |
version.dll |
dxgi.dll |
MSIMG32.dll |
NtOpenSection |
NtOpenProcess |
NtCreateUserProcess |
NtAllocateVirtualMemory |
NtWriteVirtualMemory |
NtGetContextThread |
NtSetContextThread |
{%08X-%04X-%04X-%08X%08X} |
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq |
127.0.0.1 |
331 pretend login accepted |
230 fake user logged in |
215 FTP |
227 Entering Passive Mode (%s,%d,%d) |
257 "%S" |
550 Path permission error |
250 DELE command successful. |
550 Permission denied |
257 Directory created |
250 RMD command successful |
350 File Exists |
250 RNTO command successful |
226 Aborted |
550 Could not change directory |
250 CWD command successful |
200 Type set to I |
200 OK |
200 PORT command successful |
211-FEATURES: |
500 command not recognized |
221 goodbye |
500 command not implemented |
150 Opening connection |
10/10/2023 |
%cr%c-r%c-r%c- 1 root root 0 %s %c |
226 Transfer Complete |
%b %d %Y |
%cr%c-r%c-r%c- 1 root root %7u %s |
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ |
150 Opening BINARY mode data connection |
RtlGetVersion |
S-1-15 |
550 not a plain file |
213 %04d%02d%02d%02d%02d%02d |
213 %u |
bcdfghklmnpqrstvwxz |
aeiouy |
br |
hr |
tr |
td |
div |
h1 |
h2 |
h3 |
h4 |
h5 |
h6 |
li |
script |
nbsp; |
Global\ |
Local\ |
/ |
HTTP/1.1 |
POST |
GET |
Connection: close\r\n\ |
426 Broken pipe |
|
|
|
The Zloader malware continues to evolve, using techniques like process injection, direct syscalls, and string encryption to evade detection and complicate analysis. Its ability to deliver additional payloads, such as infostealers and VNC modules, highlights its adaptability and the ongoing threat it poses to sensitive data.
Understanding the tactics is important in developing effective countermeasures to protect systems from similar intrusions.
The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
Tactic |
Technique |
ID |
Description |
Execution |
Command and Scripting Interpreter |
T1059.001 |
Use of obfuscated PowerShell script (100_x64.ps1) |
Execution |
Process Injection |
T1055 |
Zloader injects payload into “msiexec.exe” via NtAllocateVirtualMemory, NtWriteVirtualMemory, NtResumeThread API calls |
Defense Evasion |
Obfuscated Files or Information |
T1027 |
Obfuscation of strings and API calls in Zloader |
Defense Evasion |
API Function Hooking |
T1562.001 |
Zloader uses direct syscalls to avoid user-mode detection |
Credential Access |
Input Capture |
T1056.004 |
Zloader delivers infostealers capable of capturing credentials |
Command and Control |
Encrypted Channel |
T1573 |
Cobalt Strike uses encrypted communication with its command and control servers |
Exfiltration |
Exfiltration Over Alternative Protocol |
T1048.003 |
FTP-based exfiltration for data and payload delivery |
You can access the detection rules here.
You can access the indicators of compromise here.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.