Wednesday, April 2, 2025
HomeCyber Security NewsReserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Published on

SIEM as a Service

Follow Us on Google News

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive potential, as the latest version, 2.9.4.0, introduces a custom DNS tunnel for covert C2 communications, bypassing traditional network security measures. 

An interactive shell empowers attackers with granular control over infected systems, facilitating advanced attacks like ransomware deployment, where Zloader’s relentless adaptation, including refined anti-analysis techniques and targeted attack vectors, poses a persistent threat to organizations worldwide.

Its distribution has transitioned from large-scale spam campaigns to smaller, targeted attacks, often leveraging voice-based phishing, as it has been observed as a multi-stage infection chain involving RMM tools like AnyDesk, TeamViewer, and Microsoft Quick Assist. 

 attack chain

A newly identified payload, GhostSocks, appears to be a crucial component in this chain, likely used to deploy Zloader, which highlights the evolving landscape of cyber threats, with attackers increasingly relying on sophisticated techniques to bypass traditional defenses.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

It’s configuration now uses XOR operations to derive the RC4 key for decryption, while new sections in the configuration reveal Zloader’s DNS tunneling capability using a custom protocol via DNS records and also include fallback DNS servers for C2 communication. 

Zloader 2.9.4.0 bypasses the registry-based environment check but implements a new method, which checks if its name matches a hardcoded value and calculates the MD5 hash of a bot ID (including computer name, user name, and install date). 

Zloader decrypted static configuration.

Then it validates the hash against a value stored in the executable’s .rdata section, and if they don’t match, Zloader terminates, suspecting a sandbox environment. 

During infection, it creates a copy with a modified MZ header pointing to the .rdata section and writes the expected bot ID hash there and launches the modified executable, deleting the original one. 

Zloader’s API resolution has evolved to use a modified CRC algorithm with lowercase function names and an XOR operation with a constant value, which now dynamically calculates DLL indices using two DWORD values per function. 

While Zloader 2.9.4.0 introduces an interactive shell with commands for executing binaries, shellcode, file transfers, process management, and directory navigation, enabling threat actors to perform advanced operations remotely.

Zloader values used to resolve API import names.

According to Zscaler, the malware uses HTTPS with POST requests as the primary C2 communication channel, which encrypts the communication with Zeus VisualEncrypt and RC4 key.

It uses a custom protocol on top of DNS and constructs its own DNS packets, which contain a header with session ID, sequence number, message type, etc., and a payload, where the server responds with A or AAAA records for different purposes.

Zloader, an evolving malware, is increasingly using DNS tunneling to bypass detection, which allows it to establish covert communication channels, making it harder to identify and block. 

The threat actors behind Zloader are continuously enhancing its capabilities to compromise systems and facilitate ransomware attacks. To mitigate risks, organizations must implement robust security measures, including inspecting both web and DNS traffic.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...

Google Introduces End-to-End Encryption for Gmail Business Users

Google has unveiled end-to-end encryption (E2EE) capabilities for Gmail enterprise users, simplifying encrypted email...

New Outlaw Linux Malware Using SSH brute-forcing To Maintain Botnet Activities for long Time

A persistent Linux malware known as "Outlaw" has been identified leveraging unsophisticated yet effective...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...

Google Introduces End-to-End Encryption for Gmail Business Users

Google has unveiled end-to-end encryption (E2EE) capabilities for Gmail enterprise users, simplifying encrypted email...