TRU Malware Analysis: Examining the Zloader Intrusion Case

• Short Summary: In December 2023, an intrusion incident involving Zloader malware was investigated. The breach was potentially linked to Citrix exploitation, with various Cobalt Strike payloads deployed. Zloader, a variant of the Zeus banking trojan, uses sophisticated techniques like process injection and string encryption to evade detection and deliver additional payloads.

• Key Points:
  • Incident occurred in December 2023, with challenges in visibility and logging.
  • Potential initial access via Citrix exploitation, particularly CVE-2023-4966.
  • Multiple Cobalt Strike payloads were dropped, including obfuscated PowerShell scripts.
  • Zloader malware, also known as SilentNight, is a variant of the Zeus banking trojan.
  • Zloader ensures its process name matches ‘GrapheneMatrix.exe’ to avoid detection.
  • Utilizes techniques like process injection and direct syscalls for stealth.
  • Encrypts registry data and utilizes various modules for data extraction and exfiltration.
  • eSentire’s Threat Response Unit is actively developing countermeasures against Zloader.
  • Recommendations include using Next-Gen AV, conducting regular vulnerability scans, and promoting cybersecurity hygiene.

• MITRE ATT&CK TTPs – created by AI
  • Command and Scripting Interpreter (T1059.001)
    • Use of obfuscated PowerShell script (100_x64.ps1)
  • Process Injection (T1055)
    • Zloader injects payload into “msiexec.exe” via NtAllocateVirtualMemory, NtWriteVirtualMemory, NtResumeThread API calls
  • Obfuscated Files or Information (T1027)
    • Obfuscation of strings and API calls in Zloader
  • API Function Hooking (T1562.001)
    • Zloader uses direct syscalls to avoid user-mode detection
  • Input Capture (T1056.004)
    • Zloader delivers infostealers capable of capturing credentials
  • Encrypted Channel (T1573)
    • Cobalt Strike uses encrypted communication with its command and control servers
  • Exfiltration Over Alternative Protocol (T1048.003)
    • FTP-based exfiltration for data and payload delivery

In December 2023, the Incident Handling Team responded to an intrusion incident. The investigation faced some challenges due to insufficient visibility and logging, making identifying the precise initial access method challenging. However, there’s a potential that the breach occurred through Citrix exploitation, in light of the increased incidents of Citrix vulnerabilities we noted around that period, particularly involving Citrix Bleed (CVE-2023-4966) and related Citrix processes.

The threat actor(s) dropped the following files on one of the affected hosts:

• 100_x64.ps1 – obfuscated PowerShell script containing the Cobalt Strike payload (the payload connects to 45.152.114.10 (theerealtruthnews[.]com:443/knock.json))
• Dns84.exe – Cobalt Strike payload (the payload connects to 225.197.198.102 (dns.newstibulum[.]com/tow))
• Stotri.exe – Cobalt Strike payload (the payload connects to newstibulum[.]com)
• Stotri.dll – Cobalt Strike payload
• GrapheneMatrix.exe – Zloader

In this article, we will focus on analyzing Zloader.

Zloader Malware

In January 2024, Zscaler published a blog discussing the resurgence of Zloader, also known as SilentNight (in Russian “Тихая Ночь”). Zloader is a variant of the Zeus banking trojan that first appeared around 2020 and is capable of delivering additional payloads, including infostealers, hVNC (hidden Virtual Network Computing), and HTTP Grabbers.

Zloader initially verifies that its process is named ‘GrapheneMatrix.exe.’ If the names do not match, the loader terminates. This technique is used by Zloader to ensure it has not been renamed or tampered with, which might suggest that it is under analysis in a sandbox or by security researchers.

The string decryption function is shown in Figure 1 and relies on XOR.

In order to make the analysis process easier, the IDAPython script was written to decrypt the strings. You can access it here.

Zloader injects the payload into the “msiexec.exe” process by initially creating it in a suspended state and allocating 2,101,248 bytes, approximately 2 MB, for the payload. To perform the process injection more stealthily, it uses three direct syscalls to native API functions:

• NtAllocateVirtualMemory: allocates memory within the virtual address space of a specified process
• NtWriteVirtualMemory: writes data to the previously allocated memory area
• NtResumeThread: resumes a thread that has been suspended

Before executing the syscall, the code sets up the appropriate system call number in EAX. In this case, 18 corresponds to the system call number for NtAllocateVirtualMemory in the Windows Native API (Figure 2). The syscall instruction will use the value in EAX to determine which system function to execute in kernel mode. This is an essential part of the process for performing system calls directly from user mode code.

The mentioned native APIs are obfuscated through the previously referenced string encryption method.

Zloader calls the API functions dynamically and uses API hashing for the rest of the APIs used in the sample. The API hashing function (Figure 3) computes a hash by iterating over each character of an input string, adjusting its ASCII value by one, and then folding it into an accumulator through repeated multiplication by 16.

This process effectively shifts the accumulating value left by four bits, integrating the character values in a hexadecimal format. The function ensures the result stays within 32 bits using specific bitwise operations and finally combines the accumulator with a predefined seed using bitwise NOT and OR operations to generate a unique hash for the string.

The DLL libraries are referenced by numerical identifiers as indices to dynamically retrieve and decrypt the names of DLL libraries from obfuscated strings (Figure 4).

Some DLL identifiers and hashing values in the binary go through additional calculations as well within the “mw_num_gen” function to produce the final value (Figure 5). You can access the IDAPython script to comment and resolve the hashes here.

Zloader encrypts registry data (in our sample, it’s under “HKEY_CURRENT_USERSoftwareMicrosofthcdg”) using an RSA public key, which is subsequently processed by the RC4 encryption function and visual encryption.

This encrypted data includes the path to a duplicate copy of the Zloader payload located under the “AppDataRoaming” folder (for example, “AppDataRoamingpfjsqg”). Additionally, the data encapsulates the computer’s name, username, the “InstallDate” value retrieved from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion, as well as the campaign ID and botnet ID.

In one of the samples, we observed different modules being delivered, including Client64.dll, Client32.dll (the module is responsible for setting up reverse connections), HttpGrabber.dll (the module intercepts and manipulates web browser traffic, altering webpage content as needed), SoftwareGrabber.dll, ftp64.dll, Vnc32.dll, and Vnc64.dll (VNC module).

Due to time constraints, our focus will be on particularly noteworthy modules.

SoftwareGrabber module (MD5: bbbc51064235f7a8dc30bfc8ecc59e00) is responsible for extracting browser and cryptowallet data; the decrypted strings are shown in the table below:

The decrypted strings from the FTP module suggest that the module is responsible for interacting with the victim’s FTP server, including exfiltrating data and delivering additional payloads to the server:

The Zloader malware continues to evolve, using techniques like process injection, direct syscalls, and string encryption to evade detection and complicate analysis. Its ability to deliver additional payloads, such as infostealers and VNC modules, highlights its adaptability and the ongoing threat it poses to sensitive data.

Understanding the tactics is important in developing effective countermeasures to protect systems from similar intrusions.

How eSentire is Responding

The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint.
• Performing global threat hunts for indicators associated with Zloader.
• Developing detection rules for eSentire MDR for Endpoint to identify Zloader activity.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

• Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
• Encouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness Training (PSAT) when downloading software from the Internet.
• Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of patching and identifying all known vulnerabilities.

MITRE ATT&CK

Detection

You can access the detection rules here.

Indicators of Compromise

You can access the indicators of compromise here.

References

Source: Original Post