Emerging Threats

CISO Monthly Roundup, April 2024: ThreatLabz 2024 Phishing Report, PAN-OS zero day, MadMXShell, Black Hat SEO, Pikabot, Zloader, and security advisories

May 06, 2024
CISO Monthly Roundup Apr '24

The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month ThreatLabz released their 2024 Phishing Report, examined the PAN-OS zero day, and analyzed MadMXShell, Black Hat SEO, Pikabot, and Zloader. For those attending RSA, I will be presenting on recent APT attacks on May 9th at 12:20PM.

Zscaler ThreatLabz 2024 Phishing Report

The Zscaler ThreatLabz 2024 Phishing Report highlights the unprecedented sophistication of phishing threats driven by generative AI tools. These advancements have democratized phishing, enabling low-skilled actors to orchestrate complex attacks. The report analyzes over 2 billion phishing transactions from 2023 to provide insights into emerging tactics, top targets, and regional trends. It emphasizes the need for constant vigilance and zero trust security strategies to combat evolving phishing techniques.

Figure 1: A breakdown of attempted phishing attacks by industry vertical

Some key findings in our report include:

  • Phishing attacks surged by 58.2% in 2023
  • Vishing (voice phishing) and deepfake phishing are on the rise, leveraging AI tools for advanced social engineering 
  • The US, UK, India, Canada, and Germany are identified as the top targets for phishing attacks
  • The finance and insurance industry faced the highest concentration of phishing attacks, marking a 393% increase year-over-year
  • Microsoft remains the most frequently imitated brand in phishing attempts
  • The top three social media platforms targeted for phishing attacks are Telegram, Facebook, and WhatsApp

How Can Zscaler Help?

Figure 2: Three inline anti-phishing technologies Zscaler uses to protect customers

Zscaler offers AI-powered phishing prevention capabilities, including browser isolation to prevent exploitation via phishing pages. Its Zero Trust Exchange architecture prevents compromise, lateral movement, insider threats, and data loss at multiple stages of the attack chain. Adopting security best practices and leveraging Zscaler’s advanced solutions will enhance your organizations’ resilience to phishing attacks in 2024 and beyond.

A PAN-OS Zero-Day, or Another Reason to Consider Zero Trust

No vendor is immune to vulnerabilities and software defects but the past year has seen a surge in zero-day vulnerabilities impacting VPNs and firewalls. This highlights the weaknesses of legacy architectures. The latest vulnerability, CVE-2024-3400, affects Palo Alto Networks GlobalProtect Gateway. This flaw is being actively exploited in the wild. The vulnerability allows an unauthenticated user to run arbitrary commands with root privileges.

Palo Alto Networks advises customers to promptly apply available hotfixes (PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3) to mitigate the risk. As an alternative, customers can temporarily disable device telemetry until upgrading to a fixed PAN-OS version. It is crucial for organizations using this technology to monitor their network for suspicious activity.


Figure 3: One variation of a firewall-based attack chain targeting the PAN-OS zero-day vulnerability 

Legacy VPN and firewall architectures make organizations vulnerable by creating multiple, public-facing, points of failure. To mitigate risks, organizations should adopt a zero trust architecture that reduces the attack surface and eliminates the need for traditional VPN and firewall products. This approach ensures stronger security and prevents lateral movement within the network. Other best security practices include minimizing the attack surface, enforcing least-privileged access, and implementing strong multi-factor authentication.

Read the full article

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Deception, ITDR.

Malvertising campaign targeting IT teams with MadMxShell

Zscaler ThreatLabz recently observed a threat actor spoofing multiple IP scanner software domains to distribute a malicious backdoor. Through a mix of typosquatting and Google ad promotions, the threat actor sought to deceive enterprise IT security and network administration teams looking for legitimate IP scanning software. Instead of offering security tools, the attacker sites distributed a new backdoor called "MadMxShell." 


Figure 4: The MadMxShell end-to-end attack-chain - malvertising, followed by multiple intermediate stages of DLL sideloading, and DNS tunneling to the C2 server

MadMxShell employs techniques like DLL sideloading, DNS communication with the command-and-control server, and memory forensic evasion. Our blog provides a detailed technical analysis of the backdoor, including its attack chain, infrastructure, and communication protocol. It also highlights the threat actor's focus on targeting IT professionals and emphasizes the importance of following security best practices to avoid falling victim to such attacks.

Learn more about MadMXShell

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Black Hat SEO leveraged to distribute malware

Zscaler ThreatLabz researchers released a technical analysis of the SEO tactics employed by threat actors to distribute malware and steal data using fraudulent websites. These sites are often found on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread malware taking advantage of the proliferation of web hosting platforms to manipulate search engine results. This tactic is called SEO poisoning, and is a subset of Black Hat SEO techniques.

Figure 5: A comparison of a fake and legitimate MediaFire page being hosted on Weebly

The threat actors use obfuscation, selective redirection, and anti-debugging techniques to evade detection. They deliver malicious payloads through multi-level zipped files hidden within innocent-looking content. Once executed, the malware performs activities like process hollowing, DLL sideloading, and executing PowerShell commands to download additional malware and communicate with command-and-control servers. The malware collects extensive data, including system information, browser data, credentials, browsing history, and monitors emails related to cryptocurrency exchanges. It can also modify email content and potentially steal one-time authentication codes.

Learn more about Black Hat SEO

Automating Pikabot’s String Deobfuscation

Pikabot is a malware loader that extensively uses encryption to obfuscate its code and thwart malware analysis. In our latest Pikabot update, ThreatLabz researchers provide a concise overview of Pikabot’s obfuscation technique. We also introduce an IDA plugin, complete with its source code (available on GitHub) that you can use in your binary analysis.

Figure 6: The ThreatLabz Pikabot deobfuscator, available on GitHub

Our analysis reveals Pikabot’s string obfuscation method was similar to ADVobfuscator, and its decryption process. We describe how Pikabot encrypts strings using RC4 with unique keys and decrypts them when needed. Pikabot’s obfuscation method was eliminated with the release of a new version in early 2024. As of April 2024, this particular obfuscation approach has not resurfaced in any Pikabot samples. 

Details on Pikabot deobfuscation

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Zloader Learns Old Tricks

Zscaler ThreatLabz published a blog on the recent reintroduction of an anti-analysis feature in the Zloader trojan, which is based on the leaked ZeuS source code. Zloader, also known as Terdot, DELoader, or Silent Night, has been evolving since its reappearance in September 2023 after a two-year hiatus, as documented in a previous blog


The latest version,, includes a feature that restricts the trojan's execution to the original infected machine, preventing it from running on other systems. This anti-analysis feature is similar, but implemented differently than one present in the original ZeuS 2.X code. Our blog highlights the ongoing development and modifications of Zloader as it continues to evolve.


Figure 7: Zloader is a trojan that is to borrow anti-analysis features from ZeuS 

Zloader's anti-analysis feature includes a registry check and an MZ header check. If Zloader is executing on a system other than its original host, it will terminate. The registry check looks for a specific key and value generated from a hardcoded seed. The header check compares a DWORD in the MZ header with the file size. Previous versions of Zloader had a single registry key, but the latest version creates an additional value using the seed. The content is encrypted with RC4 and includes the binary path and Zloader modules. Ultimately, Zloader restricting the execution of the trojan to only the original infected machine serves as a method of evading detection and thwarting analysis.

Read more Zloader analysis

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection

RSA presentation - May 9th

We will be holding a presentation titled A Look at Recent APT Attacks: How Attackers Use Social Media and Cloud Hosts as Launchpads at RSA on May 9th at 12:20PM. My colleague, Sudeep Singh, Zscaler Senior Manager of APT Security Research, will be sharing the stage with me. We will be discussing how attackers are increasingly incorporating SaaS, social media, and cloud hosting platforms into their attack chains.




These tactics are gaining popularity with nation-state backed threat groups who seek to hide their activity in legitimate network traffic. If you read the ThreatLabz 2024 Phishing Report you know how threat actors abuse social media and cloud platforms to create trusted referring domains for their campaigns. In this roundup I’ve discussed how Black Hat SEO tactics rely on exploiting popular web platforms. These tactics represent only a few of the ways APT groups are leveraging the cloud and social media to launch advanced attacks. Join me at RSA to hear the full story.


Attend my RSA presentation      


Security Advisory:

A Deeper Look at CVE-2024-3400 Activity and Upstyle Backdoor Technical Analysis

Zscaler ThreatLabz published a blog discussing the zero-day command-injection vulnerability, CVE-2024-3400, found in Palo Alto Networks PAN-OS. Zscaler's global intelligence network observed activity related to the vulnerability, including exploitation attempts and the release of a Python-based backdoor. The backdoor utilizes a .pth file for auto-execution and employs a unique method of interaction with the operator. The article provides a technical analysis of the backdoor's attack flow and its different layers. It also emphasizes the importance of using a Zero Trust architecture and Defense-in-Depth approach to defend against such attacks.


Details on CVE-2024-340 exploitation

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 7300+ customers, securing over 300 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next: 

From the trenches: A CISO's guide to threat intelligence

Is poor Wi-Fi hampering return to office?

How cybersecurity and AI will influence global elections in 2024