|
Zloader, a banking malware that steals sensitive user data, is back with a more sophisticated infection chain. It evades detection while exploiting Microsoft’s digital signature verification method. A detailed report about the malware believed to be the work of the MalSmoke cybercriminal group was published by Checkpoint. A list of indicators of compromise (IoCs) is included, and the WhoisXML API research team used this list as the basis for IoC and artifact expansion. A summary of our findings is detailed below.
Two domains use the same exact registrant details as teamworks455[.]com.
Almost 1,000 domains possibly created through a domain generation algorithm (DGA) that share the same name server, registrar, top-level domain (TLD), and privacy protection service provider as an IoC were registered between 18 November 2021 and 7 January 2022.
The IoCs resolve to seven unique IP addresses, two of which are possibly dedicated.
Feel free to download the complete list of IoCs and artifacts related to this Zloader threat research from our website. We’ll discuss our analysis and research below.
Malicious files used in the campaign were stored in an open directory hosted at teamworks455[.]com. Checkpoint reports that as of 2 January 2022, the files have been downloaded by 2,170 unique IP addresses. The report further states that the domain is linked to pornislife[.]online, a MalSmoke IoC detected in 2020. A quick look at both domains’ historical WHOIS records seems to confirm this connection.
In addition to teamworks455[.]com, the campaign’s command-and-control (C&C) servers include these domains:
At this point, we used various domain, WHOIS, and IP intelligence sources and tools to dig deeper into the IoCs in an effort to find artifacts possibly involved in the campaign.
The registrants behind the malware-hosting domain didn’t bother using a privacy protection service. Although it’s possible that they used an alias, we still had the registrant name (Haiklas Oiklas) and email address (nvk08178@zwoho[.]com) to work with.
The registrant name is shared by the domain dontupdatemeplease[.]com, while the registrant email address is shared by ultrahdpornogirl[.]com, a domain more consistent with MalSmoke. The Maltego graph below shows how the three domains are connected.
All domains that act as Zloader C&C servers were registered using privacy protection services. Most of them are under the registrar Dynadot, while asdfghdsajkl[.]com had the same registrar as teamworks455[.]com (REG.RU LLC).
A glance at the IoC list also tells us that they appear to be created using DGA since they contain random alphanumeric characters. Most of the DGA domains were created on 7 January 2022, except for asdfghdsajkl[.]com and lkjhgfgsdshja[.]com, which were registered on 18 November and 11 December 2021, respectively.
We used these common characteristics to obtain similar domains through Reverse WHOIS Search.
These search terms yielded more than 1,000 domains, most of which could be DGAs.
According to Reverse IP Lookup, out of the 11 IoCs, only 10 actively resolved to seven IP addresses. They are listed below.
Most of the IP addresses seem to be public, as each was shared by more than 300 domains. The first 299 connected domains under each IP address are included in the downloadable research materials. However, two IP addresses—80[.]78[.]241[.]26 and 134[.]0[.]117[.]16—stood out, as only a handful of domains resolved to them.
To recall, we started out with 11 domains considered as IoCs for the newly detected MalSmoke campaign distributing Zloader. Mapping out the IP, DNS, and WHOIS footprints of these IoCs led us to more artifacts.
If you’re interested in the Zloader and MalSmoke IoCs and artifacts discussed in this post, you can download the research materials here. You may also contact us for research collaboration.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign