Brother
Professional
- Messages
- 2,590
- Reaction score
- 493
- Points
- 83
RSA encryption and an updated domain generation algorithm carefully mask the malware's activity.
Cybersecurity experts have discovered a new campaign to distribute the ZLoader malware. It is noteworthy that this happened almost two years after the botnet's infrastructure was dismantled in April 2022.
According to Zscaler, the development of a new version of ZLoader has been underway since September 2023. "In the new version of ZLoader, significant changes have been made to the boot module: RSA encryption has been added, the domain name generation algorithm has been updated, and a version for 64-bit Windows operating systems has been compiled for the first time," researchers Santiago Vicente and Ismael Garcia Perez reported.
ZLoader, also known as Terdot, DELoader, or Silent Night, is a derivative of the Zeus banking Trojan that first appeared in 2015. The malware acts as a loader for other malware, including ransomware.
As a rule, ZLoader is distributed through phishing emails and malicious ads in search engines. In 2022, Microsoft's cybercrime division, in collaboration with other companies, seized control of 65 domains used to manage and communicate with infected hosts. This dealt a serious blow to the ZLoader infrastructure.
Despite this, the malware development continued. The latest versions of ZLoader, tracked as 2.1.6.0 and 2.1.7.0, include a number of anti-analysis techniques. In particular, garbage code and string obfuscation are used to make it difficult for malware detection systems to work.
In addition, each instance of ZLoader must have a specific filename to execute on the infected host. In other words, if you rename a malicious file, it will not show any malicious activity. "This can bypass malware analysis sandboxes that rename the files of the studied samples," the researchers noted.
To hide critical information about the campaign name, management servers, and other data, RC4 encryption is used with a hard-coded alphanumeric key.
In addition, if the main management servers are unavailable, an updated version of the domain generation algorithm is used as a backup measure for communicating with the botnet. This mechanism was first discovered in ZLoader version 1.1.22.0, which was distributed as part of phishing campaigns in March 2020.
According to the researchers, the return of ZLoader to the "cyber arena" is a serious danger: "Zloader has been a significant threat for many years, and its resuscitation is likely to lead to a new wave of ransomware attacks."
Thus, a new campaign with ZLoader poses a serious threat and requires close attention from companies and users. It is necessary to take measures to detect this and other current cyber threats in a timely manner in order to minimize the risks and damage caused by possible attacks.
Cybersecurity experts have discovered a new campaign to distribute the ZLoader malware. It is noteworthy that this happened almost two years after the botnet's infrastructure was dismantled in April 2022.
According to Zscaler, the development of a new version of ZLoader has been underway since September 2023. "In the new version of ZLoader, significant changes have been made to the boot module: RSA encryption has been added, the domain name generation algorithm has been updated, and a version for 64-bit Windows operating systems has been compiled for the first time," researchers Santiago Vicente and Ismael Garcia Perez reported.
ZLoader, also known as Terdot, DELoader, or Silent Night, is a derivative of the Zeus banking Trojan that first appeared in 2015. The malware acts as a loader for other malware, including ransomware.
As a rule, ZLoader is distributed through phishing emails and malicious ads in search engines. In 2022, Microsoft's cybercrime division, in collaboration with other companies, seized control of 65 domains used to manage and communicate with infected hosts. This dealt a serious blow to the ZLoader infrastructure.
Despite this, the malware development continued. The latest versions of ZLoader, tracked as 2.1.6.0 and 2.1.7.0, include a number of anti-analysis techniques. In particular, garbage code and string obfuscation are used to make it difficult for malware detection systems to work.
In addition, each instance of ZLoader must have a specific filename to execute on the infected host. In other words, if you rename a malicious file, it will not show any malicious activity. "This can bypass malware analysis sandboxes that rename the files of the studied samples," the researchers noted.
To hide critical information about the campaign name, management servers, and other data, RC4 encryption is used with a hard-coded alphanumeric key.
In addition, if the main management servers are unavailable, an updated version of the domain generation algorithm is used as a backup measure for communicating with the botnet. This mechanism was first discovered in ZLoader version 1.1.22.0, which was distributed as part of phishing campaigns in March 2020.
According to the researchers, the return of ZLoader to the "cyber arena" is a serious danger: "Zloader has been a significant threat for many years, and its resuscitation is likely to lead to a new wave of ransomware attacks."
Thus, a new campaign with ZLoader poses a serious threat and requires close attention from companies and users. It is necessary to take measures to detect this and other current cyber threats in a timely manner in order to minimize the risks and damage caused by possible attacks.
