Zloader Evolves: Anti-Analysis Feature Makes it Harder to Catch

The developers of the ZLoader malware, which recently resumed its activity after a two-year hiatus, have incorporated a range of new features inspired by the banking trojan Zeus.

Santiago Vicente, a researcher from Zscaler, noted in his technical report that the latest version of ZLoader, 2.4.1.0, includes a feature that prevents the program from running on computers other than those initially infected. This feature was similarly implemented in the leaked source code of Zeus 2.X, from which the author of ZLoader drew inspiration.

The encrypted ZeuS overlay section

ZLoader, also known as Terdot, DELoader, or Silent Night, first “rose from the dead” in September 2023 after being eliminated in early 2022. This modular trojan loader is capable of downloading and executing a wide range of malicious software. In the latest versions, ZLoader’s developer added support for the RSA algorithm and updated the domain name generation algorithms (DGA).

The newest analysis features integrated into the trojan restrict the execution of malicious code to only the infected computer. Attempting to copy and execute the program on any other computer after the initial infection will cause the program to immediately cease functioning. This is achieved by checking the Windows registry for a specific key and its value.

Vicente emphasized that manually creating a key/value pair in the registry or altering this check will allow ZLoader to successfully embed itself in a new process, but it will then cease operation again after executing just a few instructions. This is due to a secondary check in the MZ file header.

As another Zscaler researcher, Kaivalya Hursale, pointed out, for the dissemination of ZLoader, hackers use search engine optimization techniques and phishing sites on popular platforms like Weebly. These sites masquerade as legitimate and are prominently displayed in search results, increasing the likelihood of potential victims accidentally visiting a malicious site.

Thus, the continuous efforts of cybercriminals to enhance their malicious creations demonstrate their desire to protect their assets and safeguard malicious code from analysis by cybersecurity experts. Such advancements underscore the importance of continuous threat monitoring and the development of adequate countermeasures in the cybersecurity industry.