ZLoader alert activity<\/strong><\/p>\n\n\n\nSurface devices with ZLoader alerts and related malicious activity.<\/p>\n\n\n\n
\/\/ Get any devices with ZLoader related Alert Activity\nlet DeviceAlerts = AlertInfo\n| where Title in~('Suspicious behavior associated with ZLoader',\n'File associated with ZLoader',\n'Connection to a domain associated with ZLoader')\n\/\/ Join in evidence information\n| join AlertEvidence on AlertId\n| where DeviceId != \"\"\n| summarize by DeviceId, Title;\n\/\/ Get additional alert activity for each device\nAlertEvidence\n| where DeviceId in(DeviceAlerts)\n\/\/ Add additional info\n| join kind=leftouter AlertInfo on AlertId\n| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\n<\/pre>\n\n\n\nMSHTA-loading DLLs<\/strong><\/p>\n\n\n\nLook for instances of MSHTA loading suspicious DLL files.<\/p>\n\n\n\n
DeviceProcessEvents\n| where not(FileName has_any(\"certutil\", \"certutil32\")) and FileName endswith \".exe\" and ProcessVersionInfoFileDescription =~ \"certutil.exe\"\n| where not(FolderPath has_any(\"installer\", \"program files\"))\n<\/pre>\n\n\n\nSuspicious registry keys<\/strong><\/p>\n\n\n\nLook for registry keys created by the fraudulent, attacker-created companies used in this campaign.<\/p>\n\n\n\n
DeviceRegistryEvents\n| where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou')\n<\/pre>\n\n\n\nMalicious .bat file created in fake Oracle Java SE folder path<\/strong><\/p>\n\n\n\nLook for .bat<\/em> files created in the Oracle Java SE file path associated with this activity.<\/p>\n\n\n\nDeviceFileEvents\n| where FileName endswith '.bat'\n and FolderPath has @'Program Files (x86)\\Sun Technology Network\\Oracle Java SE'\n<\/pre>\n\n\n\nTim.exe payload delivery<\/strong><\/p>\n\n\n\nLook for the Tim.exe<\/em> payload being downloaded onto an affected device.<\/p>\n\n\n\nDeviceNetworkEvents\n| where InitiatingProcessFileName =~ 'powershell.exe'\n and InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-OutFile tim.EXE'<\/pre>\n","protected":false},"excerpt":{"rendered":"Microsoft took action against the ZLoader trojan by working with telecommunications providers around the world to disrupt key ZLoader infrastructure. In this blog, we detail the various characteristics for identifying ZLoader activity, including its associated tactics, recent campaigns, and affiliated payloads, such as ransomware. <\/p>\n","protected":false},"author":150,"featured_media":112254,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3735,3738],"tags":[3896,3925],"coauthors":[3380],"class_list":["post-112209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-ransomware","threat-intelligence-threat-actors","tag-credential-theft","tag-tempest"],"yoast_head":"\n
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog<\/title>\n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n \n\t \n\t \n\t \n