Cybersecurity researchers have found a brand new model of the ZLoader malware that employs a Area Identify System (DNS) tunnel for command-and-control (C2) communications, indicating that the menace actors are persevering with to refine the software after resurfacing a yr in the past.
“Zloader 2.9.4.0 provides notable enhancements together with a customized DNS tunnel protocol for C2 communications and an interactive shell that helps greater than a dozen instructions, which can be beneficial for ransomware assaults,” Zscaler ThreatLabz stated in a Tuesday report. “These modifications present extra layers of resilience in opposition to detection and mitigation.”
ZLoader, additionally known as Terdot, DELoader, or Silent Night time, is a malware loader that is geared up with the flexibility to deploy next-stage payloads. Malware campaigns distributing the malware have been noticed for the primary time in virtually two years in September 2023 after its infrastructure was taken down.
Along with incorporating numerous methods to withstand evaluation efforts, the malware has been discovered to utilize a website era algorithm (DGA) and take steps to keep away from being run on hosts that differ from the unique an infection, a way additionally noticed within the Zeus banking trojan it is based mostly on.
In latest months, the distribution of ZLoader has been more and more related to Black Basta ransomware assaults, with menace actors deploying the malware by way of distant desktop connections established below the guise of fixing a tech help subject.
The cybersecurity agency stated it found an extra part within the assault chain that first entails the deployment of a payload referred to as GhostSocks, which is then used to drop ZLoader.
“Zloader’s anti-analysis methods corresponding to surroundings checks and API import decision algorithms proceed to be up to date to evade malware sandboxes and static signatures,” Zscaler stated.
A brand new function launched within the newest model of the malware is an interactive shell that allows the operator to execute arbitrary binaries, DLLs, and shellcode, exfiltrate information, and terminate processes.
Whereas Zloader continues to make use of HTTPS with POST requests as the first C2 communication channel, it additionally comes with a DNS tunneling function to facilitate encrypted TLS community visitors utilizing DNS packets.
“Zloader’s distribution strategies and a brand new DNS tunneling communication channel counsel the group is focusing more and more on evading detection,” the corporate stated. “The menace group continues so as to add new options and performance to extra successfully function an preliminary entry dealer for ransomware.”