How did the authors of the "resurrected" downloader surprise researchers this time?
The developers of the ZLoader malware, which recently resumed its activity after a two-year hiatus, have implemented a number of new features inspired by the Zeus banking Trojan.
Santiago Vicente, a researcher at Zscaler, noted in his technical report that the latest version of ZLoader, 2.4.1.0, includes a feature that prevents the program from running on computers other than those originally infected. Similarly, this feature was implemented in the leaked Zeus 2.X source code, from which, apparently, the author of ZLoader drew his inspiration.
ZLoader, also known as Terdot, DELoader, or Silent Night, first "rose from the dead" in September 2023 after being eliminated in early 2022. This modular Trojan loader has the ability to download and execute an extensive list of malicious software. In the latest versions of ZLoader, the developer added support for the RSA algorithm, as well as updated the domain name generation algorithms (DGA).
The latest analysis features integrated in the Trojan restrict malicious code execution only on the infected computer. If you try to copy and execute the program on any other computer after the initial infection, the program will immediately stop working. This is achieved by checking the Windows registry for a specific key and its value.
Vicente emphasized that if you manually create a key / value pair in the registry or change this check, ZLoader will successfully embed itself in the new process, but then stop working again after only a few instructions are executed. This is due to a secondary check in the header of the MZ file.
As noted by another Zscaler researcher, Kaivalya Khursale, hackers use search engine optimization techniques and phishing sites on popular platforms such as Weebly to distribute ZLoader. These sites are disguised as legitimate ones and displayed in the top search results, which increases the likelihood of a potential victim accidentally navigating to a malicious site.
Thus, the constant efforts of cybercriminals to improve their malicious creations demonstrates their desire to protect their assets and protect malicious code from analysis by cybersecurity specialists. Such improvements only emphasize the importance of continuous threat monitoring and the development of adequate countermeasures in the cybersecurity industry.
The developers of the ZLoader malware, which recently resumed its activity after a two-year hiatus, have implemented a number of new features inspired by the Zeus banking Trojan.
Santiago Vicente, a researcher at Zscaler, noted in his technical report that the latest version of ZLoader, 2.4.1.0, includes a feature that prevents the program from running on computers other than those originally infected. Similarly, this feature was implemented in the leaked Zeus 2.X source code, from which, apparently, the author of ZLoader drew his inspiration.
ZLoader, also known as Terdot, DELoader, or Silent Night, first "rose from the dead" in September 2023 after being eliminated in early 2022. This modular Trojan loader has the ability to download and execute an extensive list of malicious software. In the latest versions of ZLoader, the developer added support for the RSA algorithm, as well as updated the domain name generation algorithms (DGA).
The latest analysis features integrated in the Trojan restrict malicious code execution only on the infected computer. If you try to copy and execute the program on any other computer after the initial infection, the program will immediately stop working. This is achieved by checking the Windows registry for a specific key and its value.
Vicente emphasized that if you manually create a key / value pair in the registry or change this check, ZLoader will successfully embed itself in the new process, but then stop working again after only a few instructions are executed. This is due to a secondary check in the header of the MZ file.
As noted by another Zscaler researcher, Kaivalya Khursale, hackers use search engine optimization techniques and phishing sites on popular platforms such as Weebly to distribute ZLoader. These sites are disguised as legitimate ones and displayed in the top search results, which increases the likelihood of a potential victim accidentally navigating to a malicious site.
Thus, the constant efforts of cybercriminals to improve their malicious creations demonstrates their desire to protect their assets and protect malicious code from analysis by cybersecurity specialists. Such improvements only emphasize the importance of continuous threat monitoring and the development of adequate countermeasures in the cybersecurity industry.
