The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it’s based on, indicating that it’s being actively developed.
“The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection,” Zscaler ThreatLabz researcher Santiago Vicente said in a technical report. “A similar anti-analysis feature was present in the leaked Zeus 2.X source code, but implemented differently.”
ZLoader, also called Terdot, DELoader, or Silent Night, emerged after a nearly two-year hiatus around September 2023 following its takedown in early 2022.
This means that ZLoader’s execution will be stalled in a different machine unless the seed and MZ header values are set correctly and all the Registry and disk paths/names from the originally compromised system are replicated.
Zscaler said the technique used by Zloader to store the installation information and avoid being run on a different host shares similarities with Zeus version 2.0.8, albeit implemented in a different manner, which relied on a data structure called PeSettings to store the configuration instead of the Registry.
“In recent versions, ZLoader has adopted a stealthy approach to system infections,” Vicente said. “This new anti-analysis technique makes ZLoader even more challenging to detect and analyze.”
A notable aspect of these campaigns is that the infection only proceeds to the payload delivery stage if the visit originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, and if the bogus sites are not accessed directly.
Over the past two months, email-based phishing campaigns have also been observed targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per findings from Veriti.
Source: https://thehackernews.com/
