One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8628076 |
| Date de publication | 2024-12-20 18:11:45 (vue: 2024-12-20 19:09:31) |
| Titre | Zloader 2.9.4.0 Banking Trojan Deploys DNS Tunneling and RMM-Based Delivery for Ransomware Access |
| Texte | ## Snapshot ThreatLabz has identified a new version of the Zloader malware, version 2.9.4.0, which is a sophisticated variant of the Zeus banking trojan. ## Description This updated version employs a custom DNS tunnel protocol for command-and-control (C2) communications and an interactive shell capable of executing binaries, exfiltrating data, and supporting over a dozen commands. Zloader has shifted from large-scale spam campaigns to more targeted infection methods, including personalized voice-based attacks and the use of Remote Monitoring and Management (RMM) tools. The malware also includes a payload named GhostSocks, which is likely used to deploy Zloader. Zloader\'s anti-analysis techniques have been enhanced, featuring environment checks that compare the MD5 hash of a bot ID with a value in the executable\'s .rdata section, and updated API import resolution algorithms using a CRC algorithm with XOR operations. The malware modifies the MZ header of the executable during installation and deletes the original file to evade detection. Its network communication has evolved to encapsulate encrypted network traffic using DNS A and AAAA records, and it sends TLS client hello messages through DNS requests using a complex hexadecimal encoding system. The updates suggest a focus on evading detection and enhancing its role as an initial access broker for ransomware. Botnet and campaign IDs associated with Zloader, including one botnet ID, BB3, have been potentially linked to Black Basta ransomware attacks. The connection between Zloader and Black Basta ransomware campaigns, along with the use of Qakbot and Pikabot-like botnet IDs, indicates that Zloader may be serving as an initial access broker for these ransomware attacks. Organizations are advised to monitor not only web-based traffic but also DNS-based network traffic to detect signs of Zloader activity. ## Microsoft Analysis and Additional OSINT Context ZLoader is a highly adaptable malware that has evolved to enable diverse and complex attack campaigns. It employs multiple delivery methods, including malicious search engine ads impersonating brands like Zoom and Java, as well as phishing emails with urgent lures. Once delivered, the malware installs modules for credential theft, browser manipulation, and disabling security tools. ZLoader uses advanced techniques, such as form-grabbing and adversary-in-the-browser attacks, to steal banking and other sensitive information. Known for its persistence, ZLoader leverages registry modifications, startup entries, and legitimate tools like Atera for long-term access. It often facilitates hands-on-keyboard attacks and ransomware deployments by groups like Ryuk and DarkSide through access-as-a-service schemes. This versatility and ability to evade defenses make ZLoader a significant threat to organizations worldwide. Read more from Microsoft [about Zloader here.](https://security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789) ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Configure Microsoft Defender for Office 365 to [recheck links on click](https://docs.microsoft.com/office365/securitycompliance/atp-safe-links). Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular [anti-spam and anti-malware protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-and-anti-malware-protection?view=o365-worldwide) in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks. - Configure Microsoft Defender for Office 365 to [detonate file attachments via Safe Attachments](https://do |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### ##### **© *security 0f14 2024** 2024/12/19 2147200136 2f873b2f485f 365 365#recommended 365/security/office 42b8 aaaa ability about accept access accessed acquired activity ad59 adaptable addition additional addresses ads advanced adversary adverse advised after against age alerts algorithm algorithms all allowed along already also analysis anti antispam antivirus antivirus/enable antivirus/prevent any api app application applications applocker apply are are not actively artificial assess associated atera atosev atp/attack atp/enable attachments attack attackers attacks audit authority auto automatic available azureedge banking based basta bb3 because become been before behavior behavioral between binaries black block blocked blocking blocks bot botnet brands broker browser browsers but bynoco bypass bypassing campaign campaigns can capabilities capable card cards caution center certificates changes check checks child click client cloud cmd cobalt code com/blogs/security com/en com/exchange/troubleshoot/antispam/cautions com/intel com/mem/configmgr/protect/deploy com/microsoft com/office365/securitycompliance/atp com/security com/windows/security/threat command commands communication communications compare complex components computers configuration configure connection connections contain containing content context control coordinated copyright correlates cosipor crc creating creations credential criterion cross custom darkside data defender defense defenses deletes deliver delivered delivering delivery delivery deploy deployment deployments deploys description details detect detected detection detections detections/hunting detects determine detonate detonation device devices direct disabled disabling discovery distribution diverse dns document domain domains download downloaded dozen during edge email emails employs enable enabled enable enabling encapsulate encoding encourage encrypted encyclopedia end endpoint engine enhanced enhancing entries environment eop evade evading even evolved exchange exclusion exe executable executing execution exfiltrating exploits explorer explorer#system extra facilitates features featuring file files filter filters first flow focus following following: following form from generation generic ghostsocks grabbing groups guard hands harmful has hash have header hello help here hexadecimal highly honor host hour how however https://cdn https://docs https://learn https://security https://securitycenter https://www identified identifies identify ids impact impersonating import inbound inbox includes including incorporates indicate indicates infection inform information initial injecting inside installation installs instances intelligence interactive its java javascript keyboard known large latest launching layer learndoc learning legitimate let leveraged leverages like likely line linked links list listed lists local locations long lsass lures machine mail mailboxes make malicious malware malware: management management* manager manipulation may md5 meet messages methods microsoft might mitigations mode modifications modifies modules monitor monitored monitoring more multiple name=trojan:win32/zloader&threatid= named names net/13560ff5 network network: neutralizes new newly next not obfuscated observed occurs ocid=magicti off office official often once one online only on opening operating operations organization organizations original originating osint other over overlapping overrides pane part particularly pass payload percentage permission persistence personalized phishing pikabot policies policy polymorphic potentially powershell prevalence prevent prior process processes productivity profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789 prohibited protect protection protection/microsoft protocol provided provides psexec purge qakbot queries quickly ransomware rdata reached read recheck recipient recommendation recommendations records reduce reduction reference references registry regular related remote removed removes report reproduction reputati |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.