Cybersecurity researchers have discovered a new version of the ZLoader malware that employs a Domain Name System (DNS) tunnel for command-and-control (C2) communications, indicating that the threat actors are continuing to refine the tool after resurfacing a year ago.
“Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks,” Zscaler ThreatLabz said in a Tuesday report. “These modifications provide additional layers of resilience against detection and mitigation.”
ZLoader, also referred to as Terdot, DELoader, or Silent Night, is a malware loader that’s equipped with the ability to deploy next-stage payloads. Malware campaigns distributing the malware were observed for the first time in almost two years in September 2023 after its infrastructure was taken down.
In addition to incorporating various techniques to resist analysis efforts, the malware has been found to make use of a domain generation algorithm (DGA) and take steps to avoid being run on hosts that differ from the original infection, a technique also spotted in the Zeus banking trojan it’s based on.
In recent months, the distribution of ZLoader has been increasingly associated with Black Basta ransomware attacks, with threat actors deploying the malware by means of remote desktop connections established under the guise of fixing a tech support issue.
The cybersecurity firm said it discovered an additional component in the attack chain that first involves the deployment of a payload called GhostSocks, which is then used to drop ZLoader.
“Zloader’s anti-analysis techniques such as environment checks and API import resolution algorithms continue to be updated to evade malware sandboxes and static signatures,” Zscaler said.
A new feature introduced in the latest version of the malware is an interactive shell that enables the operator to execute arbitrary binaries, DLLs, and shellcode, exfiltrate data, and terminate processes.
While Zloader continues to use HTTPS with POST requests as the primary C2 communication channel, it also comes with a DNS tunneling feature to facilitate encrypted TLS network traffic using DNS packets.
“Zloader’s distribution methods and a new DNS tunneling communication channel suggest the group is focusing increasingly on evading detection,” the company said. “The threat group continues to add new features and functionality to more effectively serve as an initial access broker for ransomware.”
