2020-06-18 - PASSWORD-PROTECTED XLS FILES PUSH ZLOADER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2020-06-18-IOCs-for-password-protected-XLS-files-pushing-ZLoader.txt.zip 1.5 kB (1,545 bytes)
- 2020-06-18-ZLoader-infection-from-password-protected-XLS-file.pcap.zip 4.8 MB (4,823,148 bytes)
- 2020-06-18-malware-for-password-protected-XLS-files-and-ZLoader.zip 3.2 MB (3,208,907 bytes)
NOTES:
- For more information, see my ISC diary from 2020-06-10 titled Job application-themed malspam pushes ZLoader.
IMAGES
Shown above: Opening one of these password-protected XLS files in Microsft Excel (password is: 1234).
Shown above: Screenshot of the unlocked XLS file.
Shown above: Traffic retrieving ZLoader DLL after enabling macros on the unlocked XLS file.
Shown above: Initial location of the ZLoader DLL saved to the victim host.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: An example of ZLoader post-infection traffic.
Shown above: Several decoy directories created under the user's AppData\Roaming folder.
Shown above: After signing out or rebooting, we find a registry update to keep the ZLoader infectino persistent.
Click here to return to the main page.