ZLoader Malware Adopts Anti-Analysis Technique from Zeus Banking Trojan

The ZLoader malware, known for its origins in the Zeus banking trojan, has resurfaced with a new feature indicating active development. The researcher revealed that the latest version, 2.4.1.0, introduces an anti-analysis feature reminiscent of the Zeus 2.X source code, designed to prevent execution on machines different from the original infection.

After a hiatus of nearly two years following its takedown in early 2022, ZLoader, also known as Terdot, DELoader, or Silent Night, reappeared around September 2023. This modular trojan, capable of loading next-stage payloads, has seen recent updates, including RSA encryption and enhancements to its domain generation algorithm (DGA).

The new anti-analysis feature in ZLoader, found in versions above 2.4.1.0, causes the malware to terminate abruptly if copied and executed on another system post-initial infection, achieved through a Windows Registry check for a specific key and value. This prevents ZLoader’s execution on any machine other than the originally infected one, unless the seed and MZ header values are set correctly and all Registry and disk paths/names from the original system are replicated.

The researcher noted that this technique, used by ZLoader to avoid running on a different host, bears similarities to Zeus version 2.0.8, which used a data structure called PeSettings to store configuration information instead of the Registry.

“In recent versions, ZLoader has adopted a stealthy approach to system infections,” Vicente said. “This new anti-analysis technique makes ZLoader even more challenging to detect and analyze.”

In related news, threat actors are using fraudulent websites hosted on popular legitimate platforms like Weebly to spread stealer malware and steal data through black hat search engine optimization (SEO) techniques. These campaigns target users who access the fraudulent sites via search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, rather than directly accessing the sites.

Additionally, email-based phishing campaigns over the past two months targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, a facilitator for Agent Tesla.

To prevent ZLoader infections, ensure your systems are regularly updated with the latest security patches. Use reputable antivirus software and firewalls to detect and block malicious activity. Be cautious when downloading files or clicking on links, especially from unknown or untrusted sources. Educate yourself and your team about phishing attacks and other common malware delivery methods to avoid falling victim to these threats.