Inside Zloader's Latest Trick: DNS Tunneling

Dec. 11, 2024, 11:04 a.m.

Description

Zloader, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new DNS tunneling feature allows Zloader to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.

Date

  • Created: Dec. 11, 2024, 2:51 a.m.
  • Published: Dec. 11, 2024, 2:51 a.m.
  • Modified: Dec. 11, 2024, 11:04 a.m.

Indicators

  • 6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14
  • 45.61.152.154
  • bigdealcenter.world

Attack Patterns

Additional Informations

  • Finance