ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. ^[1]

ID: S0086

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	ZLib communicates over HTTP for C2.^[1]
Enterprise	T1560	.002	Archive Collected Data: Archive via Library	The ZLib backdoor compresses communications using the standard Zlib compression library.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	ZLib has the ability to execute shell commands.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	ZLib creates Registry keys to allow itself to run as various services.^[1]
Enterprise	T1083		File and Directory Discovery	ZLib has the ability to enumerate files and drives.^[1]
Enterprise	T1105		Ingress Tool Transfer	ZLib has the ability to download files.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.^[1]
Enterprise	T1113		Screen Capture	ZLib has the ability to obtain screenshots of the compromised system.^[1]
Enterprise	T1082		System Information Discovery	ZLib has the ability to enumerate system information.^[1]
Enterprise	T1007		System Service Discovery	ZLib has the ability to discover and manipulate Windows services.^[1]

Groups That Use This Software

ID	Name	References
G0031	Dust Storm	^[1]

References

Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.

ZLib

Enterprise Layer

Techniques Used

Groups That Use This Software

References