Unknown PowerShell Backdoor Connected To ZLoader
While investigating a new variant of Zloader/SilentNight researchers at Walmart identified an unknown Powershell backdoor packed using AgileDotNet. The backdoor is designed for reconnaissance and deploying additional malware including Zloader. It conducts system checks and if these checks fail it uninstalls itself and deletes previous data. If the checks pass it writes a VB downloader to the disk which executes a hardcoded curl command to download and run files from an encoded URL. For persistence it creates a scheduled task and a registry Run key. The malware then collects encodes encrypts and exfiltrates system information to command and control servers.