2020-03-26 - INFORMATION_03_26.DOC PUSHES ZLOADER
- 2020-03-26-ZLoader-IOCs.txt.zip 2.1 kB (2,147 bytes)
- 2020-03-26-example-of-malspam-pushing-ZLoader.txt.zip 122 kB (122,156 bytes)
- 2020-03-26-ZLoader-infection-traffic.pcap.zip 8.3 MB (8,324,485 bytes)
- 2020-03-26-ZLoader-malware-and-artifacts.zip 8.6 MB (8,577,157 bytes)
- This particular campaign has been pushing Ursnif since sometime in 2018.
- Starting earlier this month, I've sometimes seen other malware instead of Ursnif.
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Extracting information_03_26.doc from the zip archive.
Shown above: Artifact immediately dropped after enabling macros on information_03_26.doc.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: The initial DLL seen in today's wave for this campaign. In this case, it's ZLoader.
Shown above: Some of the decoy folders created along with the folder for the persistent ZLoader DLL.
Shown above: Registry update to keep the ZLoader infection persistent.
Click here to return to the main page.