Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive potential, as the latest version, 2.9.4.0, introduces a custom DNS tunnel for covert C2 communications, bypassing traditional network security measures. 

An interactive shell empowers attackers with granular control over infected systems, facilitating advanced attacks like ransomware deployment, where Zloader’s relentless adaptation, including refined anti-analysis techniques and targeted attack vectors, poses a persistent threat to organizations worldwide.

Its distribution has transitioned from large-scale spam campaigns to smaller, targeted attacks, often leveraging voice-based phishing, as it has been observed as a multi-stage infection chain involving RMM tools like AnyDesk, TeamViewer, and Microsoft Quick Assist. 

A newly identified payload, GhostSocks, appears to be a crucial component in this chain, likely used to deploy Zloader, which highlights the evolving landscape of cyber threats, with attackers increasingly relying on sophisticated techniques to bypass traditional defenses.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

It’s configuration now uses XOR operations to derive the RC4 key for decryption, while new sections in the configuration reveal Zloader’s DNS tunneling capability using a custom protocol via DNS records and also include fallback DNS servers for C2 communication. 

Zloader 2.9.4.0 bypasses the registry-based environment check but implements a new method, which checks if its name matches a hardcoded value and calculates the MD5 hash of a bot ID (including computer name, user name, and install date). 

Then it validates the hash against a value stored in the executable’s .rdata section, and if they don’t match, Zloader terminates, suspecting a sandbox environment. 

During infection, it creates a copy with a modified MZ header pointing to the .rdata section and writes the expected bot ID hash there and launches the modified executable, deleting the original one. 

Zloader’s API resolution has evolved to use a modified CRC algorithm with lowercase function names and an XOR operation with a constant value, which now dynamically calculates DLL indices using two DWORD values per function. 

While Zloader 2.9.4.0 introduces an interactive shell with commands for executing binaries, shellcode, file transfers, process management, and directory navigation, enabling threat actors to perform advanced operations remotely.

According to Zscaler, the malware uses HTTPS with POST requests as the primary C2 communication channel, which encrypts the communication with Zeus VisualEncrypt and RC4 key.

It uses a custom protocol on top of DNS and constructs its own DNS packets, which contain a header with session ID, sequence number, message type, etc., and a payload, where the server responds with A or AAAA records for different purposes.

Zloader, an evolving malware, is increasingly using DNS tunneling to bypass detection, which allows it to establish covert communication channels, making it harder to identify and block. 

The threat actors behind Zloader are continuously enhancing its capabilities to compromise systems and facilitate ransomware attacks. To mitigate risks, organizations must implement robust security measures, including inspecting both web and DNS traffic.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free