The authors behind the resurfaced ZLoader malware have added a characteristic that was initially current within the Zeus banking trojan that it is based mostly on, indicating that it is being actively developed.
“The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection,” Zscaler ThreatLabz researcher Santiago Vicente mentioned in a technical report. “A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently.”
ZLoader, additionally known as Terdot, DELoader, or Silent Evening, emerged after a virtually two-year hiatus round September 2023 following its takedown in early 2022.
A modular trojan with capabilities to load next-stage payloads, latest variations of the malware have added RSA encryption in addition to updates to its area era algorithm (DGA).
The most recent signal of ZLoader’s evolution comes within the type of an anti-analysis characteristic that restricts the binary’s execution to the contaminated machine.
The characteristic, current in artifacts with variations better than 2.4.1.0, causes the malware to abruptly terminate if they’re copied and executed on one other system post-initial an infection. That is achieved via a Home windows Registry examine for a selected key and worth.
“The Registry key and value are generated based on a hardcoded seed that is different for each sample,” Vicente mentioned.
“If the Registry key/value pair is manually created (or this check is patched), ZLoader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions. This is due to a secondary check in ZLoader’s MZ header.”
Which means that ZLoader’s execution will likely be stalled in a unique machine until the seed and MZ header values are set appropriately and all of the Registry and disk paths/names from the initially compromised system are replicated.
Zscaler mentioned the approach utilized by Zloader to retailer the set up data and keep away from being run on a unique host shares similarities with ZeuS model 2.0.8, albeit applied in a unique method, which relied on a knowledge construction known as PeSettings to retailer the configuration as a substitute of the Registry.
“In recent versions, ZLoader has adopted a stealthy approach to system infections,” Vicente mentioned. “This new anti-analysis technique makes ZLoader even more challenging to detect and analyze.”
The event comes as risk actors are using fraudulent web sites hosted on in style professional platforms like Weebly to unfold stealer malware and steal knowledge through black hat SEO (search engine optimization) methods.
“This catapults their fraudulent site to the top of a user’s search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware,” Zscaler researcher Kaivalya Khursale mentioned.
A notable side of those campaigns is that the an infection solely proceeds to the payload supply stage if the go to originates from engines like google like Google, Bing, DuckDuckGo, Yahoo, or AOL, and if bogus websites aren’t accessed instantly.
Over the previous two months, email-based phishing campaigns have additionally been noticed focusing on organizations within the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per findings from Veriti.
