Engage Report: Zloader Trojan Analysis

Zloader has been observed to utilize legitimate remote management tools like AnyDesk, TeamViewer, and Microsoft Quick Assist for initial access. Threat actors leverage social engineering tactics to convince victims to grant them remote access to their systems. Once they gain remote access, the attackers proceed to deploy Zloader.

Technique: System Access [T1078] –> Remote Services [T1021] –> Remote Desktop Protocol [T1021.001]

Subject: Engage Report: Zloader Trojan Analysis

Tactics: TA0001 Initial Access

Technique: T1021 Remote Services, T1021.001 Remote Services: Remote Desktop Protocol, T1078 Valid Accounts

Procedure:

Zloader has been observed to utilize legitimate remote management tools like AnyDesk, TeamViewer, and Microsoft Quick Assist for initial access. Threat actors leverage social engineering tactics to convince victims to grant them remote access to their systems. Once they gain remote access, the attackers proceed to deploy Zloader.

Technique: System Access [T1078] –> Remote Services [T1021] –> Remote Desktop Protocol [T1021.001]

Vulnerability: EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

Deploy a decoy system with intentionally vulnerable remote services configurations. Monitor the decoy for unauthorized access attempts, particularly those using tools like AnyDesk, TeamViewer, or Quick Assist. Upon successful compromise of the decoy, observe attacker actions to gather intelligence on TTPs and potentially identify the threat actor.

Threat Actor: Financially Motivated Group

Threat Objective:

Financial gain through banking fraud and ransomware deployment.

Deception Opportunity:

Deploy honeypots mimicking banking systems or critical servers to divert attacker focus from real assets. Seed the honeypots with false financial information or decoy data to waste attacker resources and gather intelligence on exfiltration methods.

Sensor Data Placement: User-Mode

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

Zloader’s environment check, involving the bot ID composed of system information, is specific to the malware’s operation but not universal to the RDP technique itself. The check helps the malware evade analysis but relies on elements within the attacker-controlled tool.

Link to Report:

Link to Report II.:

Additional Comments:

Zloader demonstrates continuous evolution with anti-analysis techniques and a shift towards targeted attacks. Monitoring for misuse of legitimate remote access tools is crucial. The introduction of DNS tunneling for C2 communication highlights the need for network traffic inspection beyond standard web traffic.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Zloader Attack Graph

[1]: Initial Access [TA0001] - System Access [T1078] --> Remote Services [T1021] --> Remote Desktop Protocol [T1021.001] - Use legitimate remote management tools (AnyDesk, TeamViewer, Quick Assist) to gain remote access. (Core to Adversary-Brought Tool)
[2]: Execution [TA0002] - Command and Scripting Interpreter [T1059] --> Windows Command Shell [T1059.003] - Execute commands for reconnaissance and to launch next stage. (Core to Pre-Existing Tool)
[3]: Persistence [TA0003] - Create or Modify System Process [T1543] --> Windows Service [T1543.003] - Install Zloader as a Windows service. (Core to Some Implementations of (Sub-)Technique)
[4]: Command and Control [TA0011] - Application Layer Protocol [T1071] --> Web Protocols [T1071.001] --> DNS [T1071.001.002] - Communicate with C2 server using a custom DNS tunnel over IPv4. (Core to Adversary-Brought Tool)
[5]: Exfiltration [TA0010] - Exfiltration Over C2 Channel [T1041] - Exfiltrate data over DNS tunnel. (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of System Monitoring)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Zloader Pseudocode

function Initial_Access_Remote_Services(target_system):
# Establish remote session using AnyDesk, TeamViewer, or Quick Assist
# Deploy Zloader payload
return execution_payload

function Execution_Command_and_Scripting_Interpreter(execution_payload):
# Execute commands for reconnaissance and to launch next stage
return persistence_payload

function Persistence_Windows_Service(persistence_payload):
# Install Zloader as a Windows service
return C2_communication_module

function Command_and_Control_DNS_Tunnel(C2_communication_module):
# Establish DNS tunnel with C2 server
# Receive commands and exfiltrate data
return exfiltrated_data

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Send exfiltrated_data to C2 server over DNS tunnel
return success

Leave a Reply