An updated version of Zloader (2.9.4.0) has been discovered, which includes a Domain Name System (DNS) tunnel for command-and-control (C2) connections, an interactive shell for hands-on keyboard action, and additional features that improve the malware’s anti-analysis capabilities.
Zloader’s anti-analysis methods, like environment checks and API import resolution algorithms, are constantly being improved to avoid static signatures and malware sandboxes.
Typically, Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan built on the leaked Zeus source code that surfaced in 2015.
The malware was initially created to enable wire transfers and Automated Clearing House (ACH) fraud in the banking industry.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Nevertheless, Zloader has been repurposed for initial access, offering a point of entry into corporate environments for the deployment of ransomware, much like other malware families like Qakbot and Trickbot.
Zloader was delivered using a multi-stage infection chain, beginning with Remote Monitoring and Management (RMM) solutions like Microsoft Quick Assist, TeamViewer, and AnyDesk.
In addition, researchers have discovered another malicious payload in the attack chain called GhostSocks.
Zloader DNS Tunneling Tactics
ThreatLabz reports that the addition of DNS tunneling is the most important change to Zloader’s C2 communication.
Zloader uses the Windows SSPI API to construct a custom protocol on top of DNS that tunnels encrypted TLS network traffic using IPv4.
Zloader uses neither the Windows API nor a third-party library to create and parse DNS packets. Zloader DNS requests use the following format:
.webp)
The 14 bytes that make up the header are translated into 28 lowercase hexadecimal numbers.
.webp)
The last two fields have different meanings depending on the message type and are unused for some message types.
.webp)
The Zloader DNS server responds with A records that provide IPv4 addresses for various purposes.
For message type 0x7 packets that may include massive data transfers, the Zloader DNS server answers with IPv6 AAAA records.
Other Notable Features Introduced In Zloader 2.9.4.0
Zloader 2.9.4.0 will no longer use a hardcoded plain-text RC4 key to encrypt the Zloader static configurations. Instead, the RC4 key is generated by executing an XOR operation on two 16-byte character arrays.
Anti-analysis techniques, such as API import resolution algorithms and environment checks, are continuously being enhanced.
An interactive shell, a new feature in Zloader 2.9.4.0, gives the threat actor the ability to run arbitrary binaries and shellcode, exfiltrate data, end processes, and more.
Zloader’s main C2 communication method is still HTTPS with POST requests. However, the HTTP headers for Zloader have changed.
For example, the User-Agent field is now set to PresidentPutin. Furthermore, Zloader appends a Rand HTTP header value set to pseudo-random alphabetic letters that range in length from 32 to 255.
The Rand field modifies the packet size to avoid possible size-based network detections because the request is transmitted across TLS.
Instead of using the WinINet API, Zloader employs the Security Support Provider Interface (SSPI) for TLS.
As a result, the threat group is adding new features and capabilities to better act as a ransomware initial access broker.
With the most recent Zloader upgrades, companies must ensure that they are analyzing both web-based and DNS-based network traffic.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free