2020-06-18 - PASSWORD-PROTECTED XLS FILES PUSH ZLOADER
ASSOCIATED FILES:
- 2020-06-18-IOCs-for-password-protected-XLS-files-pushing-ZLoader.txt.zip 1.5 kB (1,545 bytes)
- 2020-06-18-ZLoader-infection-from-password-protected-XLS-file.pcap.zip 4.8 MB (4,823,148 bytes)
- 2020-06-18-malware-for-password-protected-XLS-files-and-ZLoader.zip 3.2 MB (3,207,243 bytes)
NOTES:
- For more information, see my ISC diary from 2020-06-10 titled Job application-themed malspam pushes ZLoader.
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
IMAGES
Shown above: Opening one of these password-protected XLS files in Microsft Excel (password is: 1234).
Shown above: Screenshot of the unlocked XLS file.
Shown above: Traffic retrieving ZLoader DLL after enabling macros on the unlocked XLS file.
Shown above: Initial location of the ZLoader DLL saved to the victim host.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: An example of ZLoader post-infection traffic.
Shown above: Several decoy directories created under the user's AppData\Roaming folder.
Shown above: After signing out or rebooting, we find a registry update to keep the ZLoader infectino persistent.
Click here to return to the main page.