National Cyber Warfare Foundation (NCWF) Forums


ZLoader Now Attack 64-bit Windows: Live Analyse With ANY.RUN Sandbox


0 user ratings		2024-02-14 07:48:22
milo
Red Team (CNA)

ZLoader is a banking Trojan malware that steals sensitive financial information from infected systems. Threat actors exploit this malware to conduct a multitude of illicit activities. This malware is often distributed through phishing emails or malicious websites, allowing the threat actors to secretly compromise users’ banking information. Cybersecurity researchers at ANY.RUN recently discovered that ZLoader […]


The post ZLoader Now Attack 64-bit Windows: Live Analyse With ANY.RUN Sandbox appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



ZLoader is a banking Trojan malware that steals sensitive financial information from infected systems. Threat actors exploit this malware to conduct a multitude of illicit activities.





This malware is often distributed through phishing emails or malicious websites, allowing the threat actors to secretly compromise users’ banking information.





Cybersecurity researchers at ANY.RUN recently discovered that ZLoader is now attacking the 64-bit version of Windows systems.





ANY.RUN is a developer of a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, as well as Threat Intelligence Feeds and Threat Intelligence Lookup. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.   





Technical Analysis





ZLoader returns with upgraded powers, as the new ZLoader malware campaign was spotted and found to be reviving after control network takedown in April 2022.





Microsoft’s Digital Crimes Unit seized the 65 domains to hit the ZLoader hard. But Zscaler ThreatLabz warns of a new version since September 2023, packing major loader module upgrades. 





Apart from this, versions 2.1.6.0 and 2.1.7.0 use junk code and string obfuscation to evade the analysis, which shows the need for specific filenames to sneak past automated detection.





Using the RC4 encryption and a fixed key, all these versions cloak the campaign and command-and-control server data. 





A revamped domain generation algorithm offers backup communication if main servers fall. ZLoader persists post-setbacks, hinting at threatening ransomware attacks, providing the group’s strength post-takedown.





ZLoader (aka Terdot, DELoader, Silent Night) grew from Zeus in 2015. This malware started as a banking trojan and now spreads ransomware. 





It originated from a 2011 leaked code and gained momentum with COVID-19 attacks until server takedown in 2020.





Top malware types (Source - ANY.RUN)
Top malware types




ZLoader delivers extra malware to infected systems. The loaders are essential to attacks, as they dominated with 24,136 detections in 2023.





To prevent the latest ZLoader version, firms must refresh security with IOCs like file hashes, C2 IPs, and URLs. ANY.RUN eases IOC extraction for pros that strengthen the endpoints, SIEM, and SOAR against ZLoader.





 This ANY.RUN sandbox task as an example to illustrate how to pull IOCs from the new ZLoader variant.





Malware configuration (Source - ANY.RUN)
Malware configuration




Besides this, the ANY.RUN allows the extraction of compromise indicators from malware, like C2 addresses, even when not connected to the control server.





ZLoader’s configuration file (Source - ANY.RUN)
ZLoader’s configuration file




Moreover, directly from the task, it also provides direct access to Suricata rules that could be utilized according to the need.





Triggered Suricata rules (Source - ANY.RUN)
Triggered Suricata rules




Recommendations





To secure against the new ZLoader variant, companies should update their security systems with Indicators of Compromise, such as file hashes, C2 IP addresses, and URLs.  





Here below, we have mentioned all the recommendations:






  • Use Robust Antivirus Software




  • Make sure to update the software




  • Exercise caution with emails




  • Enable Two-Factor Authentication (2FA)




  • Educate users




  • Take regular backups




  • Implement network segmentation




  • Regularly monitor account activity




  • Develop and regularly update an incident response plan





ANY.RUN interactive malware sandbox streamlines the IOC extraction process for security professionals. They can then use gathered indicators in endpoint security, SIEM, and SOAR systems to safeguard their infrastructure against ZLoader.


The post ZLoader Now Attack 64-bit Windows: Live Analyse With ANY.RUN Sandbox appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/zloader-now-attack-64-bit-windows-systems/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


© Copyright 2012 through 2024 - National Cyber War Foundation - All rights reserved worldwide.