2020-04-16 ZLoader IOCs

1. The method I use for deobfuscating the ZLoader Excel 4 macros and getting the payload URLs still works:
2.  
3. 1. Open the document and do not enable macros
4. 2. To reveal the hidden macro sheet, go to the VB Editor and open the Immediate Window (CTRL-G)
5. 3. Type the following and hit Enter:
6. for each ws in sheets:ws.visible=true:next
7. 4. On the newly visible macro sheet, find the cell that reads =GOTO(C1) (or whatever the value is)
8. 5. Also there should be a cell above the =GOTO cell that reads =WORKSPACE.HIDE("RandomSheetName",TRUE)
9. 6. Clear the contents of both cells
10. 7. Now you can enable the macros
11. 8. You should see the deobfuscated macros starting in the cell that was specified in the =GOTO(C1) cell
12. (before you cleared the contents of that cell - in our case it's cell C1)
13.  
14. The macro shouldn't run (since you cleared the contents of the GOTO cell) but I typically do this with no connectivity
15. just as a double check.
16.  
17. Here are the ZLoader IOCs that I saw on 2020-04-16
18.  
19. SUBJECTS OBSERVED
20. Account invoice-#553438 tip
21. Apr. Incoming Invoice Number #71097, Karma hive
22. Case 137201: improper information in the sent document
23. Case 151047: improper information in the accepted statement
24. Case 197782: improper information in the sent statement
25. Case 333953: mistake in the sent invoice
26. Case 366209: error in the received statement
27. Case 404745: error in the received invoice
28. Case 425177: error in the collected document
29. Case 440377: improper information in the sent document
30. Case 788701: incorrect information in the received receipt
31. Case 802333: mistake in the accepted receipt
32. Case 850033: improper information in the accepted statement
33. Case 952590: incorrect information in the accepted document
34. Case 956642: improper information in the received invoice
35. Duplicated sent invoice #220020
36. Lawsuit formed - missed payment #129746
37. Lawsuit formed - missed payment #529257
38. Lawsuit prepared - missed due payment #325133
39. Lawsuit prepared - missed due payment #808480
40. Lawsuit prepared - missed payment #970694
41. Legal case formed - missed due payment #882677
42. Legal case prepared - missed due payment #369678
43. Legal case prepared - missed payment #332125
44. Legal case prepared - missed payment #904032
45. Monthly bill-#697717 tip
46. Monthly bill-#957318 notification
47. Recent invoice-#299841 reminder
48. Recent invoice-#414650 notification
49. Recent invoice-#781702 notice
50. Recent invoice-#820597 tip
51. Repeated given invoice #110156
52. Repeated given invoice #229437
53. Repeated invoice #498562
54. Repeated sent invoice #202547
55. Repeated sent invoice #625131
56. Repeated sent invoice #897211
57. Replicated given invoice #399436
58. Replicated invoice #203648
59. Replicated sent invoice #212693
60. Requested invoice for agreement #194347
61. Requested invoice for agreement #690316
62. Requested invoice for contract #180327
63. Requested payment invoice for agreement #265993
64. Requested payment invoice for contract #382311
65. The copy of given invoice #539735
66. This is your Customer Invoice
67. This is your New Invoice - Number #46344 from Ocean rover
68. This is your Service Invoice from Phantasm Enterprises
69. You have New incoming Invoice, No. # 98189 - from Shrub Industries
70. Your New service Invoice - Number #92820
71. Your Service Invoice Number #94618
72.  
73. SENDERS OBSERVED
74. abid.ricog1983@o2.pl
75. alaf.mibut1986@o2.pl
76. anis.imsmar1971@o2.pl
77. atnis.adno1978@o2.pl
78. bahla.gilgie1970@o2.pl
79. beoloo.odos1988@o2.pl
80. blasog.suni1977@o2.pl
81. bucon.menha1988@o2.pl
82. concu.noncu1973@o2.pl
83. createv.asar1973@o2.pl
84. diabrus.mata1983@o2.pl
85. fasma.bnadland1985@o2.pl
86. fichan.trantant1971@o2.pl
87. flumta.joysweat1988@o2.pl
88. gagnus.telilmaldurv@aol.com
89. gbeatto.oriz1977@o2.pl
90. georgiana_weitzner369@aol.com
91. imbar.macre1984@o2.pl
92. leman.abta1980@o2.pl
93. lobsfi.coslde1984@o2.pl
94. lytas.lighmont1976@o2.pl
95. madball.rinsnis1982@o2.pl
96. meamo.liosnar1974@o2.pl
97. mwojap.taket1982@o2.pl
98. necsea.angrok1985@o2.pl
99. opet.harti1985@o2.pl
100. patvi.biomang1974@o2.pl
101. perchhigh.plotbio1976@o2.pl
102. picca.antsys1977@o2.pl
103. plegthinhorkc@aol.com
104. poulriou.lesscou1979@o2.pl
105. privag.mamar1978@o2.pl
106. provin.tickprog1972@o2.pl
107. repre.ilual1984@o2.pl
108. ronma.seti1984@o2.pl
109. sacla.pregov1978@o2.pl
110. saso.quixa1987@o2.pl
111. schadta.sfargood1977@o2.pl
112. setto.taibrin1975@o2.pl
113. sinus.anelendil19883@aol.com
114. stenin.climuc1975@o2.pl
115. stilar.rempwho1982@o2.pl
116. stimen.marde1977@o2.pl
117. stites.kiery1973@o2.pl
118. taltough.crimgicz1978@o2.pl
119. tatricminak142m@aol.com
120. tbetom.procim1989@o2.pl
121. tiona.goldsimp1977@o2.pl
122. usci.dreamnia1986@o2.pl
123. walthgytherogor1994o@aol.com
124. walthrun.ruigora@aol.com
125. woti.rilfi1974@o2.pl
126.  
127. EXCEL FILE HASHES
128. 002370067d30bcca116d15e81725d8c9
129. 05cf8f988f8a49abb71d23df305741c9
130. 06aaf31e8d3c9f81100ff36a0d859cb7
131. 14753acba39910c010a04fd7553f6a53
132. 202849e060957d650fea741ce9b4ce88
133. 25034067c13b0a95172acf36b5165a5a
134. 2774c65f65fbb96bbc2b7237ac51c34c
135. 33bdad93680a057ba458bd8c7c87cfcd
136. 39fad4e57aeb95eda7af991361c10f54
137. 418d2d6f9784ddb574af8c821da7268e
138. 42793c9bbc85c7d989235a5e0ef46d24
139. 4de9e608b755ab948d5ea631f0758273
140. 4feaa0fa06cbfd892d770a610f092a8f
141. 516f4bea16a648f6f68be9cfb616b3d8
142. 5381af760da498b8bab4167fbc3d748b
143. 562b9bd07f7c1dbadc46bca7915c49b4
144. 58e3f3100bb0f7e91bce1337d1320a42
145. 5a17383e207ba4b3980cdc65c2dc4dd6
146. 5cfc486736695c6df179170d4364d128
147. 5d7bb3fceb01ac00cecf19975c518653
148. 6782ef855e6ffa4b0e189a78ad8c9e26
149. 7004e218042f73cddde6618e99b7666f
150. 7d6df0560f107460bd280f54d33789b9
151. 882170d60a116793448c9f9d561a5d25
152. 8a756d99064a6e085bf3fdaf5c5d3f39
153. 8b503094338ea8641a4cf66e1e5cb9b6
154. 8e94dce713786a0d156ea90a6385ff66
155. 902ae5a8d88e58e71635a61fd094fe2e
156. 92d2859879257daa2b867bfa181d3a97
157. 9970a3adf729e6f386ea9ba98a66caa9
158. 9a8e50123598a2f9a25a052380b4adcd
159. 9bdf039a4cedee368b996eea35f60903
160. a32134ed1ae4b2ab7dbdf9ffece3de09
161. a689cc39d0b340dbf9adccadfe2d8062
162. a8f305e399eef7df8aef405e251f7ca5
163. b6ab025b0610fe97b189c0cadf72e68b
164. bfd5ac5017d3247d980768ff5d89564e
165. c218b3fab7f7265b26d6051eaa64ef9d
166. ce2631a0e4db424c504c271b6bd87670
167. cf62ac48c30a1c99c220bd92bed6f8f9
168. d28ffd304d53d13faee8b96efc28bf60
169. d5253dbaaa9655595eeee2f78b49287d
170. d623d87bb8bcb97a74fd4f37bc11b462
171. d68f2443cb3565e55481e702a20a78be
172. daf3f373828cb07079f79168950ee521
173. dd313b17554bcf36ea952b6d7329eed3
174. e5dff34fe3a3e2bb2ed2d7cd4986370f
175. ed764924f77416cf1e54db108f5f3d92
176. f3ea55683ae51f7073cd94c8571d0675
177. f5422d1942790f66a895507d2738b7ae
178. faf27ae79a86a47f52e224bf9ff9bb91
179. ffef28c25512f2bf7e5f6188b7161bb4
180.  
181. ZLOADER PAYLOAD URLs
182. http://reneixer.org/wp/wp-content/themes/calliope/wp_data.php
183. http://saidulhussen.com/wp-content/themes/calliope/wp-front.php
184. http://sarkarjewells.com/wp-content/themes/calliope/wp-front.php
185. http://semplyusya.ru/wp-content/themes/calliope/wp_data.php