Inside Zloader's Latest Trick: DNS Tunneling
Dec. 11, 2024, 11:04 a.m.
Tags
External References
Description
Zloader, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new DNS tunneling feature allows Zloader to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.
Date
Published: Dec. 11, 2024, 2:51 a.m.
Created: Dec. 11, 2024, 2:51 a.m.
Modified: Dec. 11, 2024, 11:04 a.m.
Indicators
6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14
45.61.152.154
bigdealcenter.world
Attack Patterns
GhostSocks
Zloader
Zloader
T1071.004
T1132.001
T1218.011
T1059.003
T1012
T1070.004
T1016
T1106
T1082
T1057
T1083
T1055
T1140
T1027
Additional Informations
Finance