07/20/2020: ZLoader Campaign IOCs

1. https://twitter.com/DynamicAnalysis/status/1285264183328673792
2.  
3. #ZLoader #malspam with .xls attachments.
4.  
5. Downloader URLs:
6. hxxps://bdvan.com/wp-keys.php
7. hxxps://atemschutzmasken-schutzmasken.de/wp-keys.php
8. hxxps://bitcoincasinoreview.com/wp-keys.php
9. hxxps://ballista.vn/wp-keys.php
10.  
11. C2s:
12. https://33x.us/wp-parsing.php
13. https://adealbox.com/wp-parsing.php
14. https://aeronchairbyhermanmiller.com/wp-parsing.php
15. https://bitvshe.club/wp-parsing.php
16. https://bkk-wertgeschaetzt.de/wp-parsing.php
17. https://buydeel.com/wp-parsing.php
18. https://bothigolfscuron.tk/wp-parsing.php
19. https://caixabanktalks-bancaprivada.agoranews.es/wp-parsing.php
20. https://cardskool.com/wp-parsing.php
21. https://cloudguchenleteli.gq/wp-parsing.php
22.  
23. .xls sample:
24. https://app.any.run/tasks/3ec42809-fca8-42f9-b9c9-6bf45425e564#
25.  
26. .dll sample:
27. https://app.any.run/tasks/735f5ec6-fb18-4c92-9d3f-bacf30a50083
28. _____________________________________________________________________
29.  
30. Here is another .xls sample with a couple different downloader URLs:
31.  
32. https://ashok-poudel.com.np/wp-keys.php
33. https://atemschutzmasken-schutzmasken.de/wp-keys.php
34. https://aulaabierta.agoranews.es/wp-keys.php
35. https://ballista.vn/wp-keys.php
36.  
37. .xls sample:
38. https://app.any.run/tasks/f7878778-1305-4eb6-9215-f6f7acac4e85#
39. _____________________________________________________________________
40.  
41. Additional information from @JasonMilletary (https://twitter.com/JasonMilletary/status/1285295845601087488)
42.  
43. Looks like they upgraded the minor version number from 1.3.27.0 to 1.4.27.0.
44.  
45. Also an additional C2 URL that gets added:
46. https://tiawildlidapu.tk/wp-parsing.php