Technical Analysis of Zloader 2.9.0.4

Dec. 11, 2024, 11:05 a.m.

Description

The latest version of Zloader (2.9.4.0) introduces significant enhancements to its capabilities. Key features include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting various commands, and updated anti-analysis techniques. The malware's distribution has become more targeted, often utilizing Remote Monitoring and Management tools. Zloader's configuration now includes new sections related to DNS tunneling, and its environment check mechanism has been modified. The malware's API resolution process has been updated, and it now implements an interactive shell for executing various commands. The most notable addition is the DNS tunneling feature, which uses a custom protocol to encapsulate encrypted TLS traffic through DNS requests.

External References

https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling
https://otx.alienvault.com/pulse/6758fe39ab9deefa92e7a8f9
Tags
zloader
zeus
dns tunneling
banking trojan
initial access
2024-12-11
ghostsocks

Date

  • Created: Dec. 11, 2024, 2:51 a.m.
  • Published: Dec. 11, 2024, 2:51 a.m.
  • Modified: Dec. 11, 2024, 11:05 a.m.

Indicators

  • f1a9ef13784ba05628c12decbbe44e7708793d1a707f9fbc2475c42e1ec2cb7d
  • ec8414631644269ab230c222055beb36546ff3ee39cebbbfa7e794e2e609c8d9
  • db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4
  • d212042504f851253347754c3d3624628e7ebf7c0bbd8160220bf6edcff24f16
  • cbff717783ee597448c56a408a066aaae0279dd8606e6d99e52a04f0a7a55e03
  • a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9
  • 603bd9ee50f7dc6de37f314bda227561f0fd67cdebf53a672ea32cce73a2efd3
  • 49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7
  • 40b4bb1919e9079d1172c5dee5ac7d96c5e80ede412b8e3ef382230a908733cc
  • 3610f213db22a9de07dbbed4fbf6cec78b6dd4d58982c91f3a4ef994b53a8adc
  • 2794a703aff5549a89834d0ef8ad4b97ce12e27fa37852dd2a504e5a0078b093
  • 17a9900aff30928d54ce77bdcd0cdde441dd0215f8187bac0a270c5f8e4db9cc
  • 22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764
  • 6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14
  • ns1.brownswer.com
  • cdn.90baf13f03000000040003000000.160303009d0100009903036713bfbe1a8dea1ce0b97a5196762fe327f8da77.0a06e9aff09fff3a4f07cc1400002ac02cc02bc030c02f009f009ec024c023.c028c027c00ac009c014c013009d009c003d003c00.ns1.brownswer.com
  • unitedcommunity.world
  • bigdealcenter.world
Download all indicators here!

Attack Patterns

  • GhostSocks
  • Zloader
  • Zloader