Introduction
Zloader, also known as Terdot, DELoader, or Silent Night, is modular malware that originates from the leaked source code of Zeus banking trojan. Initially observed publicly in 2016[1] during a targeted campaign against German banks, it has since released over twenty versions and has expanded its capabilities and techniques, transforming from a classic banking trojan into a sophisticated modular malware framework able to support information stealing, command and control, discovery and the deployment of second stage payloads. Zloader has previously been linked to ransomware infections resulting in the deployment of Ryuk[2], DarkSide[3], and Egregor[4] ransomware.
In April 2022 security researchers, led by Microsoft[5], disrupted key Zloader infrastructure resulting in Zloader virtually disappearing from intrusions. However almost two years later, in September 2023, two new versions were identified[6] with significant improvement including enhanced obfuscation techniques, updated DGA (Domain Generation Algorithm), RSA encryption and now for the first time Zloader is compiled for 64-bit Windows OS.
In this article we will discuss the latest updates in Zloader versions 2.1.6.0 and 2.1.7.0, highlighting their new features and demonstrating how FortiEDR is able to effectively identify and block Zloader's activity. Multiple new instances have emerged from the new campaign, each employing different methods of obfuscation, yet the behavior is largely the same. FortiEDR’s behavior-based analysis excels at identifying these new versions of Zloader regardless of the observed obfuscation techniques.
At the end of this article we have provided associated IOCs, MITRE ATT&CK mapping and threat hunting queries to support proactive detection efforts for Zloader infections.
For demonstration purposes we have configured FortiEDR’s protection mode to simulation, allowing the malware to run without interference. Protection mode configured to “Prevention” would block all detected activity.
Attack Diagram
Figure 1. Attack diagram of Zloader
Analysis
Zloader has always employed numerous techniques designed for sandbox detection and to inhibit analysis. One of these techniques is API Import Hashing. This technique calculates hashes of import functions used by malware and resolves them dynamically during runtime. This technique complicates the analysis process by obscuring import functions that could reveal a malware’s capabilities. The new versions of Zloader continue to employ this technique but the Zloader developers have made the hash calculation more complex.
Figure 2. CFF Explorer tool screenshot showing only one function as imported while there are others hidden from the analyst.
Static analysis of payload ‘EpsilonApp.exe’ instance revealed additional API functions that were hidden using API import hashing. As shown in Figure 3, the selection of obfuscated API functions suggesting the payload likely has capabilities to run code from a memory of another process and perform thread manipulation.
Figure 3. FLOSS tool[7] output showing deobfuscated API functions.
In addition to improving the API Import Hashing implementation, the latest version of Zloader also introduces several new features that enhance its complexity for analysis. Sandboxes often change the name of the samples as part of their analysis process to streamline any automation. To identify sandboxes, the new Zloader variants check payload’s filename before execution to ensure it matches the filename configured within the code. If Zloader determines that it is operating within a sandbox it will terminate its execution.
According to ThreatLabz’s article[8] Zloader specifies predefined static configuration parameters in a data structure within the code. These parameters include botnet ID, encryption key, campaign name and Command-and-control (C2) servers. These parameters were previously encrypted using RC4 with a hard-coded alphanumeric key. In the new version the parameters of botnet ID, campaign name and C2s are set at fixed offset and RSA public key replaces the only RC4 key previously used for encryption. Whilst this impacts the ability to extract Zloader configurations from malicious samples, this additional complexity does not impact FortiEDR’s behavioral detections.
Another change the threat actors made in Zloader is update Domain Generator Algorithm (DGA). This algorithm uses timestamp as a parameter to dynamically generate multiple domains in case the main C2 is not available. This algorithm is used by threat actors to reduce effectiveness of threat intelligence to block C2 communications. The change involves different implementation of the algorithm allowing threat actors to generate a certain amount of domains per day. FortiEDR does not solely rely on the use of known C2 domains for detection so the use of a DGA does not impact its ability to detect and block Zloader C2 communications.
Lastly, whilst Zloader’s network communication continues to be over HTTP POST requests the encryption method has been updated, now employing a combination of RSA, RC4 and Zeus’s XOR-based algorithm. This may affect the ability to decode C2 communications but does not impact FortiEDR’s ability to detect attempted network connections.
Attack chain:
Zloader employs various techniques to gain initial access with phishing emails and malicious search engine ads being the most prevalent, luring the victims to download malicious files. Early versions of Zloader would deploy the main Zloader payload immediately following initial access. However, as later versions emerged threat actors involved a few additional actions such as dropping supporting files, performing discovery, and disabling AV tools prior to executing the main Zloader payload.
Our analysis starts with execution of the Zloader payload (.exe file) which we named according to how the malware is expected to be executed. Upon execution, FortiEDR detects the sample based on known file signatures which triggers the ‘Malicious File Detected’ rule from the ‘Execution Prevention’ security
policy as shown in Figure 4. The Zloader sample is detected as “Agent_AGen.BGJ!tr”[9] according to FortiGuard Labs which indicates a trojan capable of establishing remote connections, capturing keyboard input, collecting data and downloading malicious files.
Figure 4. FortiEDR generates security event detecting Zloader payload as Malicious File.
In addition to ‘Malicious file detected’ rule, Zloader triggered two other static detection based rules - ‘Unconfirmed Executable’ and ‘Invalid Checksum’ from the Exfiltration Prevention security policy as shown in Figure 5. The ‘Unconfirmed Executable’ rule was triggered because the ‘EpsilonApp.exe’ payload was determined to have a medium likelihood of being malicious based on static tests performed on the file by the FortiEDR. The ‘Invalid Checksum’ rule triggered because the file undergoes alterations during runtime which causes different checksum compared to original file.
Figure 5. FortiEDR security event detecting EpsilonApp.exe Zloader instance as Unconfirmed executable and has invalid checksum.
The first action Zloader does is creating a copy of itself in a local directory C:\Users\<user>\AppData\Roaming\pfjsqg\’ as seen in Figure 6. This allows the malware to blend in among AppData’s legitimate files and folders. Since the folder is hidden from the user, accidental detection or deletion of the malicious folder is less likely to occur. This location serves as an effective means to evade detection.
Figure 6. FortiEDR Threat Hunting telemetry of payload copy creation.
When the Zloader instance ‘EpsilonApp.exe spawns msiexec.exe process it performs code injection into msiexec.exe process, a legitimate component of Microsoft Software Installer. This behavior was performed to evade detection of security tools and it triggered the ‘Unmapped Executable’ and ‘Process Injection’ rules from Exfiltration Prevention security policy. This trigger was caused by malicious code injected into memory of a legitimate Microsoft process, msiexec.exe, responsible for program installations. Despite code injection, the file’s hash remained unchanged and still appears as signed by Microsoft. This technique is commonly employed by threat actors to perform malicious activity on behalf of legitimate processes and by this evade detection.
When ‘Unmapped Executable’ rule is triggered FortiEDR automatically dumps the code from memory allowing security analysts and researchers to analyze this piece of code fragment. Alternatively, if still present on the compromised endpoint, FortiEDR can be used to retrieve the injected in-memory payload through its retrieve function[10].
The injected msiexec.exe process attempts to establish communication with its C2 server via HTTP web requests. Most of the detected connections were made to two URLs, https[:]//adslstickerni[.]world and https://adslstickerhi[.]world . FortiGuard Central Threat System (CTS) detects these URLs as malicious and identifies them as Zloader as seen in Figure 7. These connections and connections to malicious IPs can be observed both in FortiEDR security event and in Threat Hunting telemetry as shown in Figures 8 and 9, respectively.
In addition to main C2 domains, FortiEDR successfully detects and blocks DGA generated domains. Given Zscaler’s replicated DGA algorithm[11], the new generated domains consist of twenty random alphabetic characters followed by ‘.com’ Top Level Domain (TLD) such as 'wqhfduhrgylwewgbcwsq[.]com'. DGA detection can be seen in Figure 9.
Figure 7. CTS detected domain adslstickerhi[.]world as Zloader C2
Figure 8. FortiEDR blocks connection from injected msiexec.exe to malicious IP address.
Figure 9. Threat Hunting telemetry of C2 connections
Given the msiexec.exe process that has been injected with the Zloader payload has already been flagged as injected, any subsequent activity performed by the injected process will be flagged as malicious generating a security event. All behavior that triggers a security event whilst FortiEDR is in protect mode will be blocked, preventing this connection to C2.
Another observed action taken by Zloader is an attempt to add the copy of executed payload to the registry key located in ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ by utilizing registry editor, reg.exe. This action triggers FortiEDR to create an ‘OS Modification’ security event as seen in Figure 11. This is one of the most common techniques employed by threat actors to gain persistence (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder[12]) and causes the malware to run even after system reboot.
Figure 11. FortiEDR security event showing blocked registry modification attempt.
Figure 12. FortiEDR Threat Hunting telemetry showing registry value addition.
Finally, the executed payload deletes itself. The created copy located in AppData\Roaming\pfjsqg remains in the specified directory.
Figure 13. Threat Hunting telemetry of Zloader payload deletion.
For testing purposes, we also tested the Zloader executable ‘EpsilonApp.exe’ after padding it with additional data to change its hash before executing it in our analysis environment. This does not change the functionality of the payload but does modify the hash to avoid some signature-based detections. On these subsequent tests, FortiEDR successfully classified the executable as malicious and created security events that were triggered on the “Invalid Checksum”, “Unmapped Executable” and “Process Injection” rules under Exfiltration Prevention security policy, preventing execution, creation of persistence and attempted C2 communication. One of the security events generated as part of this execution is shown below in Figure 11.
Figure 11. FortiEDR detects suspicious behavior of a modified Zloader instance which is not recognized by any AV tool.
Conclusion
In this article we have analyzed the new version of Zloader and demonstrated how FortiEDR effectively identifies and mitigates the execution of Zloader and its activities including memory injection, registry modifications, file creations and C2 communications. FortiEDR also successfully detected a modified Zloader payload that is not known in the wild.
With various instances of the new Zloader campaign and ongoing development, FortiEDR remains vigilant in detecting Zloader by employing machine learning algorithms and behavior-based analysis rather than solely relying on atomic indicators.
Given its previous impact, Zloader’s return is expected to be an even greater threat, leading to more attacks.
Threat Hunting
The following queries can be used in FortiEDR Threat Hunting to identify events associated with potential Zloader activity. The following queries can be scheduled to run automatically to provide additional context to security events or as a backup detection.
The following Threat Hunting query will return events of type Value Set where a ‘reg.exe’ process spawned by ‘msiexec.exe’ process sets a value in the ‘Run’ registry key path. This can indicate Zloader is attempting to gain persistence by utilizing msiexec.exe.
This query may return false positive results if a new program has been installed using an installer that employs msiexec.exe however this is likely to be a very low volume event.
Type: "Value Set" AND Source.Process.Name: "reg.exe" AND Source.Process.Parent.Path:"*msiexec.exe" AND Registry.Path: ("hkcu\\software\\microsoft\\windows\\currentversion\\run")
The following Threat Hunting query will return HTTP requests sent by msiexec.exe. Msiexec.exe is Microsoft Windows Installer executable and it is not typical for it to communicate over network. The URLs are hardcoded C2s. Before generating domains using DGA Zloader will attempt to connect to these three.
(Type: "HTTP Request" OR Type: "Socket Connect") AND Source.Process.Name: "msiexec.exe" AND URL: ("*adslstickerni.world*" OR "*adslstickerhi.world*" OR "*dem.businessdeep*")
The following Threat Hunting query will return File Create events associated with the creation of files in the “pfjsqg” directory. This directory has a unique name and is created by all of the analyzed new Zloader samples.
Type: "File Create" AND Target.File.Path: "*pfjsqg*"
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0003 - Persistence
| Technique ID | Technique Description | Observed Activity |
| T1060.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Zloader payload injected into a legitimate msiexec.exe process spawned an instance of reg.exe and used it to create the value "C:\Users\<redacted>\AppData\Roaming\pfjsqg\EpsilonApp.exe" in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. |
TA0004 - Privilege Escalation
| Technique ID | Technique Description | Observed Activity |
| T1055 | Process Injection | Zloader main process injects and executes a second stage payload into the memory address space of the legitimate active process msiexec.exe that it had spawned as an injection target. |
TA0005 – Defense Evasion
| Technique ID | Technique Description | Observed Activity |
| T1140 | Deobfuscate/Decode Files or Information | Zloader obfuscates key Strings such as DLL names and registry paths, and imported functions which are dynamically resolved at runtime. |
| T1070.004 | Indicator Removal: File Deletion | Main Zloader executable deletes itself after execution to cover tracks. |
| T1218.007 | System Binary Proxy Execution: Msiexec | Zloader loads malicious code into msiexec.exe process to perform malicious activity and communicate with C2. |
| T1497 | Virtualization/Sandbox Evasion | Zloader payload will not be executed if the name of the payload is not identical to the name configured in the payload’s code. |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | Zloader payload dynamically resolves API functions during runtime using API hashing technique. |
TA0011 – Command and Control
| Technique ID | Technique Description | Observed Activity |
| T1071.001 | Application Layer Protocol: Web Protocols | Zloader uses HTTP requests to communicate with its C2 servers. |
| T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Zloader is using DGA to generate multiple domain names for C2 when the main domains are not available. New generated domains consist of 20 random alphabetic characters followed by .com TLD. |
| T1573.002 | Encrypted Channel: Asymmetric Cryptography | Zloader’s is using RSA asymmetric encryption to communicate with C2 server. |
IOCs
| Indicator Description | Indicator | Indicator Type | Associated Tactic | Notes | First Observed |
| Malicious Executable | 038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55 | SHA-256 | Installation | EpsilonApp.exe | 2024-01-10 |
| 053849d280c4eadcc1d8d2b6fccc821b0ccd2f4e | SHA-1 | ||||
| Malicious Executable | 16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d | SHA-256 | Installation | IonPulse.exe | 2024-01-12 |
| 7ace68f544299d8195eabc3e3f71e548eca51e47 | SHA-1 | ||||
| Malicious Executable | 25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d | SHA-256 | Installation | UltraApp.exe | 2023-12-03 |
| 2090c12960dee091681a7a3d334d54f2dd6d0bf2 | SHA-1 | ||||
| Malicious Executable | 2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456 | SHA-256 | Installation | CodeForge.exe | 2023-12-22 |
| 7288fba570fbba7576ed21db79241dcbc969392c | SHA-1 | ||||
| Malicious Executable | 83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3 | SHA-256 | Installation | SpectraKinetic.exe | 2023-12-22 |
| 9bde5a665f3b4d86aa9267b8f587ace95615fbf6 | SHA-1 | ||||
| Malicious Executable | 98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2 | SHA-256 | Installation | IonBeacon.exe | 2023-12-26 |
| 5279e169e67ac7262772a17c897929ace12de647 | SHA-1 | ||||
| Malicious Executable | adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa | SHA-256 | Installation | FusionBeacon.exe | 2023-12-22 |
| 06134738f055a4b351ddb369cb3cb4d8223469fe | SHA-1 | ||||
| Malicious Executable | b206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93 | SHA-256 | Installation | EpsilonApp.exe | 2023-12-02 |
| 6a6021185686ab0d7eb75d1fc27b6bee2c9b1931 | SHA-1 | ||||
| Malicious Executable | b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378 | SHA-256 | Installation | QuantumDraw.exe | 2023-12-02 |
| d55243105f5fb2f9d607de91bbcc009f3c2a1a9f | SHA-1 | ||||
| Malicious Executable | d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d | SHA-256 | Installation | KineticaSurge.exe | 2023-12-28 |
| 4077efdf98f5b42256158a882ae33a5c52ce7e58 | SHA-1 | ||||
| Malicious Executable | eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499 | SHA-256 | Installation | IonPulse.exe | 2023-12-22 |
| a86b76d0e8359be5508419e7b71c7f78f0abfa07 | SHA-1 | ||||
| Malicious Executable | f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb | SHA-256 | Installation | CyberMesh.exe | 2023-12-21 |
| 94c89c0cf2148ee7524ae430da1172863212f117 | SHA-1 | ||||
| Malicious Executable | f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8 | SHA-256 | Installation | EpsilonApp.exe | 2023-12-19 |
| 97e0d4d5480b7a1dbc19229ceecb39213ccc70f5 | SHA-1 | ||||
| Malicious Executable | fa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616 | SHA-256 | Installation | UltraApp.exe | 2024-01-12 |
| 36fce1194c59cf7d3f278dab97164f6df526d33b | SHA-1 | ||||
| Malicious Executable | fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75 | SHA-256 | Installation | FusionEcho.exe | 2023-12-22 |
| d697dc650c2c9c42ea2142d7507e4dd95ae07fd8 | SHA-1 | ||||
| Malicious URL | https://adslstickerhi[.]world | URL | C2 | Zloader C2 | 2024-01-21 |
| Malicious URL | https://adslstickerni[.]world | URL | C2 | Zloader C2 | 2024-01-21 |
[1] https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german...
[2] https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack
[3] https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-detects-and-protects-against...
[4] https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-steal...
[5] https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/
[6] https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
[7] https://github.com/mandiant/flare-floss
[8] https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
[9] https://www.fortiguard.com/encyclopedia/virus/10166083
[10] https://docs.fortinet.com/document/fortiedr/6.2.0/administration-guide/434/retrieving-memory
[11] https://github.com/threatlabz/tools/blob/main/zloader/dga.py
