S0086 ZLib

ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.¹

Item	Value
ID	S0086
Associated Names
Type	MALWARE
Version	1.2
Created	31 May 2017
Last Modified	30 September 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	ZLib communicates over HTTP for C2.¹
enterprise	T1560	Archive Collected Data	-
enterprise	T1560.002	Archive via Library	The ZLib backdoor compresses communications using the standard Zlib compression library.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	ZLib has the ability to execute shell commands.¹
enterprise	T1543	Create or Modify System Process	-
enterprise	T1543.003	Windows Service	ZLib creates Registry keys to allow itself to run as various services.¹
enterprise	T1041	Exfiltration Over C2 Channel	ZLib has sent data and files from a compromised host to its C2 servers.¹
enterprise	T1083	File and Directory Discovery	ZLib has the ability to enumerate files and drives.¹
enterprise	T1105	Ingress Tool Transfer	ZLib has the ability to download files.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.¹
enterprise	T1113	Screen Capture	ZLib has the ability to obtain screenshots of the compromised system.¹
enterprise	T1082	System Information Discovery	ZLib has the ability to enumerate system information.¹
enterprise	T1007	System Service Discovery	ZLib has the ability to discover and manipulate Windows services.¹

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩