Overview of malicious modules used by Zloader Malicious modules Supported Zloader modules are displayed in Table 1 and Table 2. Zloader has a modular architecture, downloading and utilizing its modules as needed. The development of the latest distribution methods will be covered in the next sections.
Zloader has been used by various affiliate groups and each of them has used a different approach for the malware’s distribution, including: Worldwide Zloader campaign detection rate (based on data since February 2020) Affiliates are then responsible for bot distribution and maintaining their botnets.Īs you can see in Figure 1, we have observed Zloader infestations and campaigns in many countries with North America being the most targeted.įigure 1. When purchased, affiliates are given all they need to set up their own servers with administration panels and to start building their bots. Due to low prevalence and the nature of this new version, all the following information applies to Zloader version 1.x.Īs already mentioned, Zloader, similar to other commodity malware, is being advertised and sold on underground forums. Our findings show that these were just test builds, but we will be closely monitoring this new activity and its evolution. This may, however, change in the future as we have already seen version 2.0 samples in the wild (compiled in July 2021). We have seen a couple of peaks in Zloader’s popularity among threat actors, mainly during its first year of existence, but its use began declining during 2021 with only a couple of actors left using it for their malicious intents. In March 2020, Zloader implemented a domain generation algorithm (DGA) that allowed us to discover about 300 additional active domains registered by Zloader operators and used as C&C servers. Throughout Zloader’s existence, we have analyzed about 14,000 unique samples via our automatic tracking system, which helped us to discover more than 1,300 unique C&C servers. ESET researchers have been closely monitoring its activity and evolution ever since then, giving us great insight into Zloader’s mode of operation and its infrastructure. The first version (1.0.0.0) of Zloader that we were able to find was compiled on November 9 th 2019, the same day it was announced and advertised in underground forums under the name “Silent Night”. This blogpost won’t focus on deep technical aspects of the trojan, but rather will cover the details of its operation and infrastructure. Many research papers have been published about this malware already, with the latest one from Malwarebytes and HYAS being the most detailed from the technical point of view.
TEAMVIEWER DOWNLOAD 13 CODE
Zloader is one of the many banking trojan malware families heavily inspired by the famous Zeus banking trojan, whose source code was leaked in 2011. Microsoft’s investigation also identified Denis Malikov as a co-author of a malicious component used by the operators of one of the botnets.
TEAMVIEWER DOWNLOAD 13 REGISTRATION
To make sure that the botnet operators cannot use this side channel to regain control of their botnets, an additional 319 already registered domains generated by this algorithm were taken over and the working group is also taking measures to block registration of DGA domains possibly generated in the future. This technique, known as a domain generation algorithm (DGA), is used to generate 32 different domains per day, per botnet.
On top of that, Zloader bots rely on a backup communication channel that automatically generates unique domain names that can be used to receive commands from their botmasters.
ESET researchers helped with identification of 65 domains that had been used by these botnet operators recently and that had been taken over for this disruption operation to be effective. The coordinated disruption operation targeted three specific botnets, each one using a different version of the Zloader malware. Zloader started life as a banking trojan, but lately evolved to become a distributor of several malware families, including various ransomware families. ESET contributed to the project by providing technical analysis, statistical information, and known command and control server domain names and IP addresses. ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addressesĮSET has collaborated with partners Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, and others in an attempt to disrupt known Zloader botnets.
0 kommentar(er)
