ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
ID: S0086
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 September 2022
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[1] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
ZLib creates Registry keys to allow itself to run as various services.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1113 | 屏幕捕获 |
ZLib has the ability to obtain screenshots of the compromised system.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | .002 | 归档收集数据: Archive via Library |
The ZLib backdoor compresses communications using the standard Zlib compression library.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1082 | 系统信息发现 | ||
| Enterprise | T1007 | 系统服务发现 |
ZLib has the ability to discover and manipulate Windows services.[1] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1041 | 通过C2信道渗出 |
ZLib has sent data and files from a compromised host to its C2 servers.[1] |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0016 | Operation Dust Storm |