ZLoader is a banking Trojan malware that steals sensitive financial information from infected systems. Threat actors exploit this malware to conduct a multitude of illicit activities.
This malware is often distributed through phishing emails or malicious websites, allowing the threat actors to secretly compromise users’ banking information.
Cybersecurity researchers at ANY.RUN recently discovered that ZLoader is now attacking the 64-bit version of Windows systems.
ANY.RUN is a developer of a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, as well as Threat Intelligence Feeds and Threat Intelligence Lookup. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
ZLoader returns with upgraded powers, as the new ZLoader malware campaign was spotted and found to be reviving after control network takedown in April 2022.
Microsoft’s Digital Crimes Unit seized the 65 domains to hit the ZLoader hard. But Zscaler ThreatLabz warns of a new version since September 2023, packing major loader module upgrades.
Apart from this, versions 2.1.6.0 and 2.1.7.0 use junk code and string obfuscation to evade the analysis, which shows the need for specific filenames to sneak past automated detection.
Using the RC4 encryption and a fixed key, all these versions cloak the campaign and command-and-control server data.
A revamped domain generation algorithm offers backup communication if main servers fall. ZLoader persists post-setbacks, hinting at threatening ransomware attacks, providing the group’s strength post-takedown.
ZLoader (aka Terdot, DELoader, Silent Night) grew from Zeus in 2015. This malware started as a banking trojan and now spreads ransomware.
It originated from a 2011 leaked code and gained momentum with COVID-19 attacks until server takedown in 2020.
ZLoader delivers extra malware to infected systems. The loaders are essential to attacks, as they dominated with 24,136 detections in 2023.
To prevent the latest ZLoader version, firms must refresh security with IOCs like file hashes, C2 IPs, and URLs. ANY.RUN eases IOC extraction for pros that strengthen the endpoints, SIEM, and SOAR against ZLoader.
This ANY.RUN sandbox task as an example to illustrate how to pull IOCs from the new ZLoader variant.
Besides this, the ANY.RUN allows the extraction of compromise indicators from malware, like C2 addresses, even when not connected to the control server.
Moreover, directly from the task, it also provides direct access to Suricata rules that could be utilized according to the need.
To secure against the new ZLoader variant, companies should update their security systems with Indicators of Compromise, such as file hashes, C2 IP addresses, and URLs.
Here below, we have mentioned all the recommendations:
ANY.RUN interactive malware sandbox streamlines the IOC extraction process for security professionals. They can then use gathered indicators in endpoint security, SIEM, and SOAR systems to safeguard their infrastructure against ZLoader.
Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…
Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…
DMD Diamond - one of the oldest blockchain projects in the space has announced the start…
Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the…
The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack…