Cybersecurity researchers have discovered a new version ZLoader malware that uses a Domain Name System (DNS) tunnel for command-and-control (C2) communication, indicating that threat actors continue to improve the tool after surface restoration a year ago.
“Zloader 2.9.4.0 adds notable improvements, including a custom DNS tunneling protocol for C2 communication and an interactive shell that supports more than a dozen commands that can be useful for ransomware attacks” — Zscaler ThreatLabz said in Tuesday’s report. “These modifications provide additional levels of resistance against detection and mitigation.”
ZLoaderalso called Terdot, DELoader, or Silent Night, is a malware loader equipped with the ability to deploy next-stage payloads. The malware distribution companies were spotted for the first time in almost two years in September 2023 after their infrastructure was dismantled.
In addition to incorporating various techniques to resist analysis attempts, the malware was found to use the Domain Generation Algorithm (DGA) and take steps to avoid running on hosts different from the original infection, a technique also seen in the Zeus banking trojan. on which it is based.
In recent months, the distribution of ZLoader has been increasingly associated with Black Basta ransomware attacks, in which threat actors deploy malware via remote desktop connections, are set up under the guise of solving a technical support problem.
The cybersecurity company said it discovered an additional component in the attack chain, which first involves deploying a payload called GhostSocks, which is then used to deflect ZLoader.
“Zloader’s anti-analysis methods, such as environment validation and API import resolution algorithms, continue to be updated to avoid the sandbox of malware and static signatures,” said Zscaler.
A new feature introduced in the latest version of the malware is an interactive shell that allows an operator to execute arbitrary binaries, DLLs, and shellcode, delete data, and kill processes.
While Zloader continues to use HTTPS with POST requests as the primary C2 communication channel, it also comes with DNS tunneling functionality to facilitate TLS encrypted network traffic using DNS packets.
“Zloader’s distribution methods and new DNS tunneling communication channel suggest that the group is increasingly focusing on evading detection,” the company said. “The threat team continues to add new capabilities and features to more effectively serve as the initial access broker for ransomware.”
