Since December 2019, Zloader had revived as “Silent Night”, and it has been used various attack campaigns. It has especially been used in two attack campaigns (PseudoGate and Malsmoke). These attack campaigns are aimed at users in Japan, Canada, or U.S. to obtain banking related information. Zloader connects to its C&C servers with HTTPS and domain names generated by DGA. Therefore, it is difficult to detect Zloader’s attack on network.
We developed a system that collects information of infected hosts from logs on Zloader’s C&C server. To find the C&C servers, we collected Zloader samples and extracted their internal config data by using several public services. We have been making use of the system since March 2021. This system observes all Zloader’s C&C servers for various attack campaigns, and we know the Zloader infection scale of each campaign on a daily basis.
In this presentation, we will share characteristics of Zloader first. Then, we will introduce the Zloader investigation system in detail. Furthermore, we will share the data obtained by the system and the consideration from the data. Therefore, SOC, CSIRT and security researchers who research Zloader will be able to have deeper understanding and to take countermeasure against them.