# ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign **cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/** April 19, 2021 Exploit kits (EKs) dominated the cybersecurity industry in 2018 and 2019. These kits were the major, initial infection methods used by hackers to carry out major malware campaigns or advanced persistent threat (APT) attacks. In 2020, EKs were not considered a potential threat vector for client-side attacks because phishing attacks and other social engineering attacks emerged as the significant threat vector. Based on Cyble’s research, we have found that the recent Spelevo EK targeted the vulnerabilities in Internet Explorer and Flash Player. In the past, the Spelevo EK was found to be delivering payloads such as Ursnif and Qakbot. In a recent campaign in March 2021, we observed the same EK delivering ZLoader payload files. The Spelevo EK campaign was seen to be targeting US users with the flash vulnerability. The initial findings can be attributed to Malware Traffic Analysis. The image below showcases the popular PopCash site, compromised by EK and redirecting to a landing page. After successful redirection to the landing page, the malicious flash file is dropped on the victim machine based on client vulnerability. The landing page script and flash file delivery are shown below. ----- Upon execution of the malicious flash file, it drops and executes the ZLoader payload on the victim’s machine. The image below showcases the decompiled malicious flash file. After exploitation, Spelevo EK redirects the user to google.com, typically after a 60-seconds delay, and the code snippet for the same is shown below. ----- Spear phishing delivers ZLoader: ZLoader also targets users through phishing campaigns with maliciously crafted MS Office attachments. As showcased in the image below, we discovered this campaign to be circulating as a compensation claim. Upon execution of the malicious macro, it downloads and executes the payload on the victim machine. The attachment also displays a Security Warning that urges the user to enable macros. ----- The following Wireshark capture showcases the payload delivery on the victim machine. Technical analysis of the payload: The payload file that we have analysed is: SHA256:”9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b” It is a VC compiled malware COM DLL file with multiple exports. The following image shows the malware payload file with its export functions. ----- ZLoader has many anti-debugging, evasion techniques and does process injection. The malware uses other techniques such as custom encrypted network communication and Domain Generating Algorithm (DGA) for command-and-control (C&C) domains etc. ZLoader is notable variant of the Zeus banking malware which was identified in 2006. This banking malware typically targets users to steal credentials and other sensitive financial information. Finally, with these stolen credentials threat actors can perform illicit financial transactions from the victim’s banking account by logging into their devices. It has been observed that after a few months’ break, the same malware campaign reappears with different Tactics, Techniques, and Procedures (TTPs). Cyble will continue to track these new malware activities to collect advanced threat intelligence related to the campaign. **MITRE ATT&CK:** **Initial Access** **Persistence** **Privilege** **Escalation** **Defence Evasion** **Credential** **Access** [Masquerading](https://attack.mitre.org/techniques/T1036/) Input Capture **Discovery** **Collection** **Command** **and** **Control** Security [Software](https://attack.mitre.org/techniques/T1518/) Discovery [Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/) DLL SideLoading Process Injection Input Capture Archive [Collected](https://attack.mitre.org/techniques/T1560/) Data Encrypted Channel NonApplication Layer Protocol Application [Layer](https://attack.mitre.org/techniques/T1071/) Protocol [Driver-by Compromise](https://attack.mitre.org/techniques/T1189/) DLL SideLoading **Indicators of Compromise (IoCs):** **SHA256** [Process Injection](https://attack.mitre.org/techniques/T1055/001/) Process Discovery Obfuscated Files or Information System [Information](https://attack.mitre.org/techniques/T1082/) Discovery [DLL Side-Loading](https://attack.blackbot.io/techniques/T1574/002/) File and [Directory](https://attack.mitre.org/techniques/T1083/) Discovery f8ba1699d9c63a2bcdb4fe48cd229074e2ab87512891d6c6adff6bd838847c11 f5493ea3f2e6b61670be5ec8fcf6951f425476db2a5fe8c18ecd07ee7 fbc4ff74fc7ee03fd3c451b6f20a820cb7bea5dbef4efa19aa567f6bfae58d48 ----- 9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b ce9d8545eb14f98f81526457b784ada2e37057dae2d74f625e47b4e hxxp://195.123.208[.]172/44300,5396033565[.]dat/ 31f81d3319ad104bcd6afcc114c5d2de073af83feb5db8f187af79a09d930599 **Our Recommendations:** Block the IoCs shared above. We encourage our customers to conduct investigations and implement proactive measures for identifying previous campaigns and preventing future ones that may target their systems. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. People concerned about their exposure in the Dark web can register at [AmiBreached.com to ascertain their exposure.](https://cyble.io/amibreached) Refrain from opening untrusted links and email attachments without verifying their authenticity. **About Cyble:** [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in](https://cyble.com/) the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more [about Cyble, visit www.cyble.com.](http://www.cyble.com/) -----