2020-06-18 - PASSWORD-PROTECTED XLS FILES PUSH ZLOADER

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Opening one of these password-protected XLS files in Microsft Excel (password is: 1234).

 


Shown above:  Screenshot of the unlocked XLS file.

 


Shown above:  Traffic retrieving ZLoader DLL after enabling macros on the unlocked XLS file.

 


Shown above:  Initial location of the ZLoader DLL saved to the victim host.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  An example of ZLoader post-infection traffic.

 


Shown above:  Several decoy directories created under the user's AppData\Roaming folder.

 


Shown above:  After signing out or rebooting, we find a registry update to keep the ZLoader infectino persistent.

 

Click here to return to the main page.