ZLib

Zlib is a piece of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Zlib has been associated with various types of malware infections, notably the Snake infection. In such cases, whenever an Item Type of 0x01 is seen within the 0x3 Container, the file is always identified as the Zlib library. The malware has been linked to several vulnerabilities over time. For instance, the CVE-2018-25032 vulnerability was addressed in an update that fixed memory corruption on deflate (bsc#1197459). Similarly, another issue related to libxml2 (bsc#1203652) was resolved in a subsequent update. The procps update also improved memory handling and ensured the correct library version was installed (bsc#1206412). Despite these fixes, Zlib continues to pose a threat due to its association with other malware. Zlib has been utilized by various malicious software for different purposes. For example, SweetSpecter uses zlib to send compressed TCP packets to the command and control server, emulating Gh0st RAT's known communication scheme. Both LunarWeb and LunarMail use a statically linked zlib library for compressing collected data. The SimpleRemoter and Dinodas RAT share similarities, including the usage of the same zlib library version 1.2.11, indicating overlaps in their code. Lastly, NSPX30 plugins use zlib to compress collected information, demonstrating the widespread use of this malware in cyber threats.