Inside Zloader's Latest Trick: DNS Tunneling

Dec. 11, 2024, 11:04 a.m.

Description

Zloader, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new DNS tunneling feature allows Zloader to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.

External References

https://securityboulevard.com/2024/12/inside-zloaders-latest-trick-dns-tunneling/
https://otx.alienvault.com/pulse/6758fe3a29e8bd68d2b55da9
Tags
zloader
dns tunneling
banking trojan
2024-12-11
malware evolution
ghostsocks
zeus variant

Date

  • Created: Dec. 11, 2024, 2:51 a.m.
  • Published: Dec. 11, 2024, 2:51 a.m.
  • Modified: Dec. 11, 2024, 11:04 a.m.

Indicators

  • 6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14
  • 45.61.152.154
  • bigdealcenter.world
Download all indicators here!

Attack Patterns

  • GhostSocks
  • Zloader
  • Zloader

Additional Informations

  • Finance