Threat behavior
Despite HackTool:Win32/ZorSaw.A!dha's classification as a hacktool, it is primarily a bypass method for defenses, not a direct theft of data like Trojan:Win32/ZorSaw!MTB. The !MTB variant uses persistence through registry updates and scheduled tasks, while the !dha hacktool does very little to retain persistence, only rarely using auto-run via registry. To deliver payloads, !dha drops standalone binaries rather than through PowerShell or through DLL sideloading as !MTB does. The command and control (C2) communication is different in multiple ways: !dha mines credentials using unencrypted HTTP, while !MTB either is encrypted HTTPS or DNS tunneling and uses stealth.
Rather than establishing utilities in the host directory, the hacktool is dropped into other directories and often uses misleading file names like svchost_loader.exe. !dha defeats device protections by running commands to stop the firewalls. Credential harvesting takes two main forms:
- Authentication tokens are exposed in memory dumps of LSASS
- Extracting passwords from the browser databases in Chrome/Firefox.
The most significant difference from the !MTB trojans is that !dha leaves little behind an artifact, unlike how the !MTB installed itself deep in the host system. !dha left a lightweight path and made it harder to trace, even if persistence and depth of installation is low.
HackTool:Win32/ZorSaw.A!dha drops files in:
It modifies the following process for stealth and persistence purposes:
- C:\Windows\System32\drivers\etc\hosts (to specifically block security-related websites)
It modifies the following Windows Registry keys for establishing persistence:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware (value: 1) to disable real-time protection.
Prevention
Enterprise Remediation:
- Utilize Group Policy to limit local administrator privileges & decrease the opportunity to install tools.
- Identify which executables are blocked at the email gateways; .exe, .bat, .ps1, .js
- Allow Microsoft Defender ASR rules with settings such as blocking credential theft from LSASS and process creations from PSExec/WMI
- Review %ProgramData% and %Temp% on a weekly basis to identify unauthorized binaries.
User Hardening:
- Require multi-factor Authentication (MFA) on all accounts to eliminate stolen credentials.
- Educate users to recognize active requests for "cracked" software, in their phishing lure identification protocol.
- Deploy Microsoft Edge (with SmartScreen) to block known exploit kit domains.
HackTool:Win32/ZorSaw.A!dha tends to be identified prior to a trojan infection, showing a classification of !MTB. If identified the device should be ISOLATED IMMEDIATELY to prevent escalation.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection
