ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
ID: S0086
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 September 2022
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
The ZLib backdoor compresses communications using the standard Zlib compression library.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
ZLib creates Registry keys to allow itself to run as various services.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
ZLib has sent data and files from a compromised host to its C2 servers.[1] |
|
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[1] |
| Enterprise | T1113 | Screen Capture |
ZLib has the ability to obtain screenshots of the compromised system.[1] |
|
| Enterprise | T1082 | System Information Discovery | ||
| Enterprise | T1007 | System Service Discovery |
ZLib has the ability to discover and manipulate Windows services.[1] |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0016 | Operation Dust Storm |