Cybersecurity researchers have found a brand new model of the ZLoader malware that employs a Area Title System (DNS) tunnel for command-and-control (C2) communications, indicating that the menace actors are persevering with to refine the instrument after resurfacing a yr in the past.
“Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks,” Zscaler ThreatLabz mentioned in a Tuesday report. “These modifications provide additional layers of resilience against detection and mitigation.”
ZLoader, additionally known as Terdot, DELoader, or Silent Evening, is a malware loader that is outfitted with the power to deploy next-stage payloads. Malware campaigns distributing the malware had been noticed for the primary time in virtually two years in September 2023 after its infrastructure was taken down.
Along with incorporating numerous methods to withstand evaluation efforts, the malware has been discovered to utilize a site era algorithm (DGA) and take steps to keep away from being run on hosts that differ from the unique an infection, a way additionally noticed within the Zeus banking trojan it is based mostly on.
In latest months, the distribution of ZLoader has been more and more related to Black Basta ransomware assaults, with menace actors deploying the malware via distant desktop connections established below the guise of fixing a tech help challenge.
The cybersecurity agency mentioned it found an extra element within the assault chain that first includes the deployment of a payload referred to as GhostSocks, which is then used to drop ZLoader.
“Zloader’s anti-analysis techniques such as environment checks and API import resolution algorithms continue to be updated to evade malware sandboxes and static signatures,” Zscaler mentioned.
A brand new characteristic launched within the newest model of the malware is an interactive shell that permits the operator to execute arbitrary binaries, DLLs, and shellcode, exfiltrate information, and terminate processes.
Whereas Zloader continues to make use of HTTPS with POST requests as the first C2 communication channel, it additionally comes with a DNS tunneling characteristic to facilitate encrypted TLS community visitors utilizing DNS packets.
“Zloader’s distribution methods and a new DNS tunneling communication channel suggest the group is focusing increasingly on evading detection,” the corporate mentioned. “The threat group continues to add new features and functionality to more effectively serve as an initial access broker for ransomware.”
