Rewterz Threat Alert – ZLoader Banking Trojan – Active IOCs

Severity

High

Analysis Summary

ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, It’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with Invoice themed spear phishing malicious documents, in order to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice-theme. The filenames are usually “invoice” or “case” with a special character like “.”, “-” or “_” followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods. ZLoader was also found being distributed via malvertising campaigns earlier this September. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June.

Impact

• Credential Theft
• Financial Theft
• Data Exfiltration

Indicators of Compromise

MD5

• 5f469bd21aff0d4cad1adad0c3c123e0
• 44c23544f1a62380dbd705594905dd32

SHA-256

• 5e9f16bf590acac8f7b4b2ac45dc754129d9daf1fd2f87f076ff0898d95541b8
• 6c4e4b3df9dc07fbccc61563533246eed88269a53a95089ccc6bf96b508e15c3

SHA-1

• 592d22543368bcef8bf4fe4d0bfcb7af9202e20f
• beab91a74563df8049a894d5a2542dd8843553c2

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.