Cybersecurity researchers have come across a new iteration of the ZLoader malware, which now utilizes a Domain Name System (DNS) tunnel for its command-and-control (C2) communications. This discovery suggests that threat actors are continuously enhancing the capabilities of this malicious tool, following its reappearance on the scene a year ago.
According to a report released by Zscaler ThreatLabz on Tuesday, the latest version of ZLoader, labeled as Zloader 2.9.4.0, boasts significant improvements, including a customized DNS tunnel protocol for C2 communications and an interactive shell that supports over a dozen commands. These enhancements could prove valuable for ransomware attacks, as they introduce additional layers of resilience against detection and mitigation efforts.
ZLoader, also known as Terdot, DELoader, or Silent Night, is a malware loader renowned for its ability to distribute subsequent payloads. After remaining dormant for almost two years, malware campaigns delivering this malicious software resurfaced in September 2023 following the takedown of its infrastructure.
Aside from incorporating various evasion techniques to thwart analysis, ZLoader leverages a domain generation algorithm (DGA) and implements measures to avoid execution on hosts different from the initial infection, a tactic reminiscent of the Zeus banking trojan upon which it is based.
In recent times, the propagation of ZLoader has become increasingly linked to Black Basta ransomware attacks, wherein threat actors deploy the malware through remote desktop connections established under the guise of resolving technical support issues. During these attacks, Zscaler identified an additional component in the attack chain that involves the deployment of a payload named GhostSocks, which serves as the entry point for dropping the ZLoader malware.
The continuous evolution of ZLoader’s anti-analysis techniques, including environment checks and API import resolution algorithms, reflects the malware developers’ ongoing efforts to evade detection by bypassing malware sandboxes and static signatures.
Moreover, the latest version of ZLoader introduces a new feature in the form of an interactive shell that empowers operators to execute arbitrary binaries, DLLs, and shellcode, exfiltrate data, and terminate processes. While ZLoader still relies on HTTPS with POST requests as its primary C2 communication method, it has now integrated a DNS tunneling capability to facilitate encrypted TLS network traffic using DNS packets.
The addition of a DNS tunneling communication channel in ZLoader’s latest iteration indicates a shift towards more sophisticated evasion tactics aimed at avoiding detection. This evolution suggests that the threat group behind ZLoader is constantly enhancing the malware with new features and functionalities to enhance its efficacy as an initial access point for ransomware attacks.
In conclusion, the ongoing development and adaptation of ZLoader underscore the persistent threat posed by sophisticated malware variants and highlight the need for robust cybersecurity measures to combat evolving cyber threats effectively.
Found this article interesting? Follow us on Twitter and LinkedIn to access more exclusive content as we share it.