Cybersecurity Experts Uncover Revamped ZLoader Malware Campaign

Cybersecurity experts recently detected a resurgence of the ZLoader malware campaign, nearly two years after the botnet’s infrastructure was dismantled in April 2022. Zscaler reports the development of a new variant of ZLoader since September 2023, featuring significant changes in its loader module. The updated version includes RSA encryption, and revised domain name generation algorithms, and is the first to be compiled for 64-bit Windows operating systems, as noted by researchers Santiago Vicente and Ismael Garcia Perez.

ZLoader, also known as Terdot, DELoader, or Silent Night, originated from the Zeus banking trojan, first appearing in 2015. It functions as a loader for other malware, including ransomware. Typically spread through phishing emails and malicious search engine ads, ZLoader suffered a major setback in 2022 when Microsoft’s cybercrime unit, in collaboration with other companies, took control of 65 domains used to manage infected hosts. Despite this, the development of ZLoader continued, with the latest versions incorporating advanced anti-analysis techniques.

Each ZLoader instance requires a specific filename to execute on infected hosts. Researchers noted that renaming the malicious file prevents it from exhibiting malicious activity, which could circumvent malware analysis sandboxes. The RC4 encryption with a hardcoded alphanumeric key is used to conceal critical information about campaign names, control servers, and other data. An updated domain generation algorithm serves as a backup communication method with the botnet, first identified in version 1.1.22.0, distributed in phishing campaigns in March 2020.

Experts warn that ZLoader’s return poses a significant threat, with potential implications for a new wave of ransomware attacks. This new ZLoader campaign represents a serious danger, demanding close attention from companies and individuals alike. It is crucial to adopt measures for the timely detection of this and other cyber threats to minimize risks and potential damage from attacks.