Into The Silent Night
Abstract
Since the birth of Zeus family malwares, they have been sharpening their edge. Zloader is one of the active variants among Zeus family malwares. In December 2019, Zloader revived as “Silent Night.” It communicates with C&C servers using DGA (Domain Generation Algorithm), because changing C&C servers’ domain names can bypass malware detection systems. As a result, it makes it easier to steal information from infected hosts. This study proposes a system that traces Zloader’s C&C servers automatically. This system collects samples, analyzes configuration data, and calculates DGA domains. Moreover, the system collects log files that store information about the infected hosts on the attackers’ servers. The system can not only generate threat intelligence about Zloader for SOC and CSIRT but also follow the trend of attack campaigns. Furthermore, we will discuss how attackers acquire the DGA domains tactically.
References
Malwarebytes, “The "Silent Night" Zloader/Zbot.” https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloaderzbot_final.pdf.
NTT Security Holdings, “Attack using Spelevo Exploit Kit by PseudoGate campaign targeting Japan.” https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit.
Malwarebytes Labs, “Malvertising campaigns come back in full swing.” https://blog.malwarebytes.com/socialengineering/2020/09/malvertisingcampaigns-come-back-in-full-swing/.
Sentinel Labs, “Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms.” https://www.sentinelone.com/labs/hideand-seek-new-zloader-infection-chaincomes-with-improved-stealth-and-evasionmechanisms/.
Trend Micro, “Zloader Campaigns at a Glance.” https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digitalthreats/zloader-campaigns-at-a-glance.
K7 Security Labs, “Java Plug-Ins Delivering Zloader.” https://labs.k7computing.com/index.php/java-plug-ins-delivering-zloader/.
PhishLabs, “Surge in ZLoader Attacks Observed.” https://www.phishlabs.com/blog/surge-inzloader-attacks-observed/.
McAfee, “Zloader With a New Infection Technique.” https://www.mcafee.com/blogs/otherblogs/mcafee-labs/zloader-with-a-newinfection-technique/.
Check Point Research, “Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk.” https://research.checkpoint.com/2022/canyou-trust-a-files-digital-signature-newzloader-campaign-exploits-microsoftssignature-verification-putting-users-atrisk/.
Malwarebytes Labs, “Malsmoke operators abandon exploit kits in favor of social engineering scheme.” https://blog.malwarebytes.com/threatanalysis/2020/11/malsmoke-operatorsabandon-exploit-kits-in-favor-of-socialengineering-scheme/.
Proofpoint, “ZLoader Loads Again: New ZLoader Variant Returns.” https://www.proofpoint.com/us/blog/threat-insight/zloaderloads-again-new-zloader-variant-returns.
VirusTotal. https://virustotal.com.
ANY.RUN. https://any.run.
MalwareBazaar. https://bazaar.abuse.ch.
Hatching Triage. https://tria.ge.
Copyright (c) 2022 Yuta Sawabe, Ryuichi Tanabe, Fumio Ozawa, Rintaro Koike

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.