Into The Silent Night

  • Yuta Sawabe NTT Security Holdings
  • Ryuichi Tanabe NTT Security Holdings
  • Fumio Ozawa NTT Security Holdings
  • Rintaro Koike NTT Security Holdings
Keywords: Banking Trojan, Zloader, Botnet Tracking, System Development

Abstract

Since the birth of Zeus family malwares, they have been sharpening their edge. Zloader is one of the active variants among Zeus family malwares. In December 2019, Zloader revived as “Silent Night.” It communicates with C&C servers using DGA (Domain Generation Algorithm), because changing C&C servers’ domain names can bypass malware detection systems. As a result, it makes it easier to steal information from infected hosts. This study proposes a system that traces Zloader’s C&C servers automatically. This system collects samples, analyzes configuration data, and calculates DGA domains. Moreover, the system collects log files that store information about the infected hosts on the attackers’ servers. The system can not only generate threat intelligence about Zloader for SOC and CSIRT but also follow the trend of attack campaigns. Furthermore, we will discuss how attackers acquire the DGA domains tactically.

References

Malwarebytes, “The "Silent Night" Zloader/Zbot.” https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloaderzbot_final.pdf.

NTT Security Holdings, “Attack using Spelevo Exploit Kit by PseudoGate campaign targeting Japan.” https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit.

Malwarebytes Labs, “Malvertising campaigns come back in full swing.” https://blog.malwarebytes.com/socialengineering/2020/09/malvertisingcampaigns-come-back-in-full-swing/.

Sentinel Labs, “Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms.” https://www.sentinelone.com/labs/hideand-seek-new-zloader-infection-chaincomes-with-improved-stealth-and-evasionmechanisms/.

Trend Micro, “Zloader Campaigns at a Glance.” https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digitalthreats/zloader-campaigns-at-a-glance.

K7 Security Labs, “Java Plug-Ins Delivering Zloader.” https://labs.k7computing.com/index.php/java-plug-ins-delivering-zloader/.

PhishLabs, “Surge in ZLoader Attacks Observed.” https://www.phishlabs.com/blog/surge-inzloader-attacks-observed/.

McAfee, “Zloader With a New Infection Technique.” https://www.mcafee.com/blogs/otherblogs/mcafee-labs/zloader-with-a-newinfection-technique/.

Check Point Research, “Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk.” https://research.checkpoint.com/2022/canyou-trust-a-files-digital-signature-newzloader-campaign-exploits-microsoftssignature-verification-putting-users-atrisk/.

Malwarebytes Labs, “Malsmoke operators abandon exploit kits in favor of social engineering scheme.” https://blog.malwarebytes.com/threatanalysis/2020/11/malsmoke-operatorsabandon-exploit-kits-in-favor-of-socialengineering-scheme/.

Proofpoint, “ZLoader Loads Again: New ZLoader Variant Returns.” https://www.proofpoint.com/us/blog/threat-insight/zloaderloads-again-new-zloader-variant-returns.

VirusTotal. https://virustotal.com.

ANY.RUN. https://any.run.

MalwareBazaar. https://bazaar.abuse.ch.

Hatching Triage. https://tria.ge.

Published
2022-08-01