# Zloader Campaigns at a Glance **[trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance)** ----- View infographic: Zloader Campaigns at a Glance The ZBOT (aka Zeus) trojan has been one of the most prolific and enduring malware families of the past 20 years. After its first [appearance in 2006, its source code was leaked in 2011,](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-banking-trojan-brief-history-of-notable-online-banking-trojans) leading to a plethora of new variants that plagued organizations over the succeeding years. One of the most notable recent ZBOT variants is Zloader. First compiled under the name Silent Night in late 2019, it has evolved from being an information stealer to a multipurpose dropper that provides malicious actors the means to install and execute other malware and tools such as Cobalt Strike, DarkSide, and Ryuk. In addition, it has other capabilities, such as the ability to provide remote access to attackers and install plug-ins for additional routines. Zloader has multiple delivery methods, such as via email campaigns or downloads by other malware and hacking tools. One of the most basic yet reliable methods for individuals and organizations to avoid being infected by Zloader and other malware with similar arrival techniques is to apply security best practices to their emails. This includes avoiding downloading attachments or selecting links from emails that look suspicious or appear to be out of context. Zloader’s versatility has made it a popular and effective campaign tool for any threat actor that is willing to pay for it. We already witnessed this in past campaigns — some of which took advantage of current events such as the Covid-19 pandemic — and we can expect to see it again in future campaigns from other threat actors. Organizations can mitigate the impact of Zloader by employing robust security solutions and services. Trend Micro’s robust native XDR capabilities are tied together by Trend Micro Vision One™which connects email endpoints servers cloud workloads and networks in ----- order to provide a better context and perspective of the entire chain of events of an attack, while also allowing security personnel to investigate and act from a single place. [Furthermore, managed security services, such as Trend Micro™ Managed XDR, provides](https://www.trendmicro.com/en_us/business/services/managed-xdr.html) expert threat monitoring, correlation, and analysis from experienced cybersecurity professionals via a single and capable source of detection, analysis, and response. This expertise is further bolstered by AI-optimized, Trend Micro solutions that draw from global threat intelligence. ## MITRE ATT&CK techniques Zloader uses the following tactics and techniques, as mapped out according to the MITRE ATT&CK Matrix. Tactic MITRE ID and Technique Initial Access T1189 - Drive-by Compromise Details Zloader can be downloaded through drive-by compromise via Malsmoke, RIG Exploit Kit, and Spelevo T1566 Phishing Zloader can arrive via phishing emails with attached XLS downloader files Execution T1204 - User Execution User can execute the XLS Zloader downloader file manually ----- T1064 Scripting T1059 Command and Scripting Interpreter T1106 Native API Zloader can be downloaded by VBS or Javascripts Zloader hooks native API from user32.dll and ntdll.dll to redirect execution to Zloader DLL Persistence T1060 - Registry Run Keys/Startup Folder T1547- Boot or Logon Autostart Execution Creates persistence using the following registry: HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run Zloader injects its loader or core component to msiexec.exe Privilege Escalation T1055 - Process Injection ----- Defense Evasion T1140 – Deobfuscate/ Decode Files or Information T1497 Virtualization/ Sandbox Evasion Credential Access T1539 Steal Web Session Cookie T1027 - Obfuscated files or information Zloader performs XOR to decode obfuscated strings and information Zloader downloader scripts check if it is running in a virtual environment and will not execute properly if it is Instead of presenting arithmetic functions in a standardized manner and directly hardcoding constants, Zloader tries to confuse the analyst by obfuscating these in a form of various, dedicated functions T1056 - Input Capture Zloader captures keystrokes on browsers Zloader steals cookies from Chrome, Firefox, and Internet Explorer ----- Discovery T1083 - File and Directory Discovery T1012 Query Registry Collection T1185 - Man in the Browser T1179 Hooking Zloader steals cookies by discovering files from specific directories like \Mozilla\Firefox\Profiles Zloader has to install its own (fake) certificate, and has to run a local proxy before deploying a Man-In-TheBrowser (MITB) attack ----- C2 is encrypted via RC4 and XORing algorithm where each character of the string is XORed with the preceding character which was already XORed Command & Control T1001 - Data Obfuscation ----- T1090 Proxy T1071Application Layer Protocol T1219 Remote Access Software Zloader components injected into browsers are responsible for redirecting traffic via proxy The following commands are accepted: user_execute download an executable into the %TEMP% folder and run it (optionally with parameters) user_cookies_get - steal cookies from all known browsers user_url_block - block URL access for the current user bot_uninstall - complete removal of the bot from the current user user_password_get – steal passwords from targeted browsers user_files_get – search and upload documents of the victims (.txt, docx,, .xls, .wallet.dat) Zloader downloads and executes VNC tool to control victim machine Exfiltration T1041 - Exfiltration Over C&C Channel ## Indicators of Compromise Data collected by Zloader, such as stolen cookies, screenshot, and process list, are exfiltrated to C&C server [The IOCs for Zloader can be found in this appendix.](https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt) ----- HIDE ----- ----- ----- **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. [Posted in Cybercrime & Digital Threats,](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats) [Infographics,](https://www.trendmicro.com/vinfo/us/security/news/infographics) [Targeted Attacks](https://www.trendmicro.com/vinfo/us/security/news/targeted-attacks) -----