Vol. 7 No. 1 (2022): Proceedings of Botconf 2021/2022
Conference proceedings

Into The Silent Night

Yuta Sawabe
NTT Security Holdings
Ryuichi Tanabe
NTT Security Holdings
Fumio Ozawa
NTT Security Holdings
Rintaro Koike
NTT Security Holdings

Published 2022-08-01

Keywords

  • Banking trojan,
  • Zloader,
  • Botnet tracking,
  • System development

How to Cite

Sawabe, Y., Tanabe, R., Ozawa, F., & Koike, R. (2022). Into The Silent Night. The Journal on Cybercrime and Digital Investigations, 7(1), 1-6. https://doi.org/10.18464/cybin.v7i1.32

Download Citation

Abstract

Since the birth of Zeus family malwares, they have been sharpening their edge. Zloader is one of the active variants among Zeus family malwares. In December 2019, Zloader revived as “Silent Night.” It communicates with C&C servers using DGA (Domain Generation Algorithm), because changing C&C servers’ domain names can bypass malware detection systems. As a result, it makes it easier to steal information from infected hosts. This study proposes a system that traces Zloader’s C&C servers automatically. This system collects samples, analyzes configuration data, and calculates DGA domains. Moreover, the system collects log files that store information about the infected hosts on the attackers’ servers. The system can not only generate threat intelligence about Zloader for SOC and CSIRT but also follow the trend of attack campaigns. Furthermore, we will discuss how attackers acquire the DGA domains tactically.

References

  1. Malwarebytes, “The "Silent Night" Zloader/Zbot.” https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloaderzbot_final.pdf.
  2. NTT Security Holdings, “Attack using Spelevo Exploit Kit by PseudoGate campaign targeting Japan.” https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit.
  3. Malwarebytes Labs, “Malvertising campaigns come back in full swing.” https://blog.malwarebytes.com/socialengineering/2020/09/malvertisingcampaigns-come-back-in-full-swing/.
  4. Sentinel Labs, “Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms.” https://www.sentinelone.com/labs/hideand-seek-new-zloader-infection-chaincomes-with-improved-stealth-and-evasionmechanisms/.
  5. Trend Micro, “Zloader Campaigns at a Glance.” https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digitalthreats/zloader-campaigns-at-a-glance.
  6. K7 Security Labs, “Java Plug-Ins Delivering Zloader.” https://labs.k7computing.com/index.php/java-plug-ins-delivering-zloader/.
  7. PhishLabs, “Surge in ZLoader Attacks Observed.” https://www.phishlabs.com/blog/surge-inzloader-attacks-observed/.
  8. McAfee, “Zloader With a New Infection Technique.” https://www.mcafee.com/blogs/otherblogs/mcafee-labs/zloader-with-a-newinfection-technique/.
  9. Check Point Research, “Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk.” https://research.checkpoint.com/2022/canyou-trust-a-files-digital-signature-newzloader-campaign-exploits-microsoftssignature-verification-putting-users-atrisk/.
  10. Malwarebytes Labs, “Malsmoke operators abandon exploit kits in favor of social engineering scheme.” https://blog.malwarebytes.com/threatanalysis/2020/11/malsmoke-operatorsabandon-exploit-kits-in-favor-of-socialengineering-scheme/.
  11. Proofpoint, “ZLoader Loads Again: New ZLoader Variant Returns.” https://www.proofpoint.com/us/blog/threat-insight/zloaderloads-again-new-zloader-variant-returns.
  12. VirusTotal. https://virustotal.com.
  13. ANY.RUN. https://any.run.
  14. MalwareBazaar. https://bazaar.abuse.ch.
  15. Hatching Triage. https://tria.ge.