IntroductionZloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. Following an almost two-year hiatus, Zloader reemerged in September 2023 with significant enhancements to its obfuscation techniques, domain generation algorithm (DGA), anti-analysis techniques and network communication, along with a stealthier approach to infections.In this blog post, Zscaler ThreatLabz examines two new versions of Zloader (2.11.6.0 and 2.13.7.0) that feature improvements to their network communications, anti-analysis techniques, and evasion capabilities. Moreover, Zloader continues to be deployed only at a small number of entities rather than being spread indiscriminately. As a result of this targeted approach, Zloader samples are not frequently observed in the wild.Key TakeawaysZloader is a modular trojan based on the leaked Zeus source code dating back to 2015.Zloader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for command-and-control (C2) communications, along with added support for WebSockets.Zloader continues to evolve its anti-analysis strategies, leveraging innovative methods to evade detection.Zloader attacks are more precise and targeted, with its interactive shell now including new commands that may assist in ransomware operations.Technical AnalysisIn this section, we will explore the various changes that were introduced in the latest versions of Zloader including new evasion techniques, additional functionality for lateral movement, and modifications to network communication.Anti-analysis One notable change to Zloader’s functionality involves the required filename that was expected by the malware. Previously, Zloader samples were expected to be run with a specific hardcoded filename. If the actual filename did not match the expected value, that Zloader sample would not run. This design is likely intended to evade automated malware sandbox environments. However, in the most recent versions, the malware Zloader author introduced two new generic filenames to allow the threat actors that deploy (or update) Zloader with more flexibility. These two generic filenames are Updater.exe and Updater.dll.Another significant change that was made to hinder analysis is more obfuscation layers. This lev
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: