ZLoader is a banking Trojan malware that steals sensitive financial information from infected systems. Threat actors exploit this malware to conduct a multitude of illicit activities.
This malware is often distributed through phishing emails or malicious websites, allowing the threat actors to secretly compromise users’ banking information.
Cybersecurity researchers at ANY.RUN recently discovered that ZLoader is now attacking the 64-bit version of Windows systems.
ANY.RUN is a developer of a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, as well as Threat Intelligence Feeds and Threat Intelligence Lookup. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Technical Analysis
ZLoader returns with upgraded powers, as the new ZLoader malware campaign was spotted and found to be reviving after control network takedown in April 2022.
Microsoft’s Digital Crimes Unit seized the 65 domains to hit the ZLoader hard. But Zscaler ThreatLabz warns of a new version since September 2023, packing major loader module upgrades.
Apart from this, versions 2.1.6.0 and 2.1.7.0 use junk code and string obfuscation to evade the analysis, which shows the need for specific filenames to sneak past automated detection.
Using the RC4 encryption and a fixed key, all these versions cloak the campaign and command-and-control server data.
A revamped domain generation algorithm offers backup communication if main servers fall. ZLoader persists post-setbacks, hinting at threatening ransomware attacks, providing the group’s strength post-takedown.
ZLoader (aka Terdot, DELoader, Silent Night) grew from Zeus in 2015. This malware started as a banking trojan and now spreads ransomware.
It originated from a 2011 leaked code and gained momentum with COVID-19 attacks until server takedown in 2020.
ZLoader delivers extra malware to infected systems. The loaders are essential to attacks, as they dominated with 24,136 detections in 2023.
To prevent the latest ZLoader version, firms must refresh security with IOCs like file hashes, C2 IPs, and URLs. ANY.RUN eases IOC extraction for pros that strengthen the endpoints, SIEM, and SOAR against ZLoader.
This ANY.RUN sandbox task as an example to illustrate how to pull IOCs from the new ZLoader variant.
Besides this, the ANY.RUN allows the extraction of compromise indicators from malware, like C2 addresses, even when not connected to the control server.
Moreover, directly from the task, it also provides direct access to Suricata rules that could be utilized according to the need.
Recommendations
To secure against the new ZLoader variant, companies should update their security systems with Indicators of Compromise, such as file hashes, C2 IP addresses, and URLs.
Here below, we have mentioned all the recommendations:
- Use Robust Antivirus Software
- Make sure to update the software
- Exercise caution with emails
- Enable Two-Factor Authentication (2FA)
- Educate users
- Take regular backups
- Implement network segmentation
- Regularly monitor account activity
- Develop and regularly update an incident response plan
ANY.RUN interactive malware sandbox streamlines the IOC extraction process for security professionals. They can then use gathered indicators in endpoint security, SIEM, and SOAR systems to safeguard their infrastructure against ZLoader.