Cyber Defense Advisors

ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan

The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it’s based on, indicating that it’s being actively developed.

“The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection,” Zscaler ThreatLabz researcher Santiago Vicente said in a technical report. “A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently.”

ZLoader, also called Terdot, DELoader, or Silent Night, emerged after a nearly two-year hiatus around September 2023 following its takedown in early 2022.

A modular trojan with capabilities to load next-stage payloads, recent versions of the malware have added RSA encryption as well as updates to its domain generation algorithm (DGA).

The latest sign of ZLoader’s evolution comes in the form of an anti-analysis feature that restricts the binary’s execution to the infected machine.

The feature, present in artifacts with versions greater than 2.4.1.0, causes the malware to abruptly terminate if they are copied and executed on another system post-initial infection. This is accomplished by means of a Windows Registry check for a specific key and value.

“The Registry key and value are generated based on a hardcoded seed that is different for each sample,” Vicente said.

“If the Registry key/value pair is manually created (or this check is patched), ZLoader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions. This is due to a secondary check in ZLoader’s MZ header.”

This means that ZLoader’s execution will be stalled in a different machine unless the seed and MZ header values are set correctly and all the Registry and disk paths/names from the originally compromised system are replicated.

Zscaler said the technique used by Zloader to store the installation information and avoid being run on a different host shares similarities with ZeuS version 2.0.8, albeit implemented in a different manner, which relied on a data structure called PeSettings to store the configuration instead of the Registry.

“In recent versions, ZLoader has adopted a stealthy approach to system infections,” Vicente said. “This new anti-analysis technique makes ZLoader even more challenging to detect and analyze.”

The development comes as threat actors are utilizing fraudulent websites hosted on popular legitimate platforms like Weebly to spread stealer malware and steal data via black hat search engine optimization (SEO) techniques.

“This catapults their fraudulent site to the top of a user’s search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware,” Zscaler researcher Kaivalya Khursale said.

A notable aspect of these campaigns is that the infection only proceeds to the payload delivery stage if the visit originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, and if bogus sites are not accessed directly.

Over the past two months, email-based phishing campaigns have also been observed targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per findings from Veriti.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.