Today > 8 Critical | 28 High | 32 Medium vulnerabilities   -   You can now download lists of IOCs here!

Technical Analysis of Zloader 2.9.0.4

Dec. 11, 2024, 11:05 a.m.

Tags
zloader
zeus
dns tunneling
banking trojan
initial access
2024-12-11
ghostsocks
External References
Description

The latest version of Zloader (2.9.4.0) introduces significant enhancements to its capabilities. Key features include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting various commands, and updated anti-analysis techniques. The malware's distribution has become more targeted, often utilizing Remote Monitoring and Management tools. Zloader's configuration now includes new sections related to DNS tunneling, and its environment check mechanism has been modified. The malware's API resolution process has been updated, and it now implements an interactive shell for executing various commands. The most notable addition is the DNS tunneling feature, which uses a custom protocol to encapsulate encrypted TLS traffic through DNS requests.

Date

Published: Dec. 11, 2024, 2:51 a.m.

Created: Dec. 11, 2024, 2:51 a.m.

Modified: Dec. 11, 2024, 11:05 a.m.

Indicators

f1a9ef13784ba05628c12decbbe44e7708793d1a707f9fbc2475c42e1ec2cb7d

ec8414631644269ab230c222055beb36546ff3ee39cebbbfa7e794e2e609c8d9

db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4

d212042504f851253347754c3d3624628e7ebf7c0bbd8160220bf6edcff24f16

cbff717783ee597448c56a408a066aaae0279dd8606e6d99e52a04f0a7a55e03

a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9

603bd9ee50f7dc6de37f314bda227561f0fd67cdebf53a672ea32cce73a2efd3

49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7

40b4bb1919e9079d1172c5dee5ac7d96c5e80ede412b8e3ef382230a908733cc

3610f213db22a9de07dbbed4fbf6cec78b6dd4d58982c91f3a4ef994b53a8adc

2794a703aff5549a89834d0ef8ad4b97ce12e27fa37852dd2a504e5a0078b093

17a9900aff30928d54ce77bdcd0cdde441dd0215f8187bac0a270c5f8e4db9cc

22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764

6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14

ns1.brownswer.com

cdn.90baf13f03000000040003000000.160303009d0100009903036713bfbe1a8dea1ce0b97a5196762fe327f8da77.0a06e9aff09fff3a4f07cc1400002ac02cc02bc030c02f009f009ec024c023.c028c027c00ac009c014c013009d009c003d003c00.ns1.brownswer.com

unitedcommunity.world

bigdealcenter.world

Download all indicators here!

Attack Patterns

GhostSocks

Zloader

Zloader

T1071.004

T1553.002

T1573.001

T1204.001

T1497

T1055

T1140

T1027

T1190

T1078

T1059