Cybersecurity researchers have found a brand new model of the ZLoader malware that employs a Area Title System (DNS) tunnel for command-and-control (C2) communications, indicating that the risk actors are persevering with to refine the device after resurfacing a yr in the past.
“Zloader 2.9.4.0 provides notable enhancements together with a customized DNS tunnel protocol for C2 communications and an interactive shell that helps greater than a dozen instructions, which can be precious for ransomware assaults,” Zscaler ThreatLabz mentioned in a Tuesday report. “These modifications present extra layers of resilience in opposition to detection and mitigation.”
ZLoader, additionally known as Terdot, DELoader, or Silent Night time, is a malware loader that is geared up with the power to deploy next-stage payloads. Malware campaigns distributing the malware have been noticed for the primary time in virtually two years in September 2023 after its infrastructure was taken down.
Along with incorporating varied strategies to withstand evaluation efforts, the malware has been discovered to utilize a site era algorithm (DGA) and take steps to keep away from being run on hosts that differ from the unique an infection, a method additionally noticed within the Zeus banking trojan it is based mostly on.
In current months, the distribution of ZLoader has been more and more related to Black Basta ransomware assaults, with risk actors deploying the malware via distant desktop connections established underneath the guise of fixing a tech assist problem.
The cybersecurity agency mentioned it found a further element within the assault chain that first entails the deployment of a payload referred to as GhostSocks, which is then used to drop ZLoader.
“Zloader’s anti-analysis strategies akin to atmosphere checks and API import decision algorithms proceed to be up to date to evade malware sandboxes and static signatures,” Zscaler mentioned.
A brand new characteristic launched within the newest model of the malware is an interactive shell that allows the operator to execute arbitrary binaries, DLLs, and shellcode, exfiltrate knowledge, and terminate processes.
Whereas Zloader continues to make use of HTTPS with POST requests as the first C2 communication channel, it additionally comes with a DNS tunneling characteristic to facilitate encrypted TLS community visitors utilizing DNS packets.
“Zloader’s distribution strategies and a brand new DNS tunneling communication channel counsel the group is focusing more and more on evading detection,” the corporate mentioned. “The risk group continues so as to add new options and performance to extra successfully function an preliminary entry dealer for ransomware.”
