The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New Zloader Variant Discovered

Feb 9, 2024 1:16:59 PM / by The Hivemind

NEWZLOADERRelated Families: ZeuS

Executive Summary

A new variant of the modular trojan Zloader was recently identified. The new variant has been in development since September 2023.

Key Takeaways

  • A new variant of Zloader was recently identified.
  • Zloader is a modular trojan that is an offshoot of Zeus. 
  • The new Zloader variant has multiple upgrades, including new obfuscation techniques, an updated DGA, and use of encrypted C2 communication. 
  • The new Zloader variant has native support for 64-bit versions of Windows.

What is a Zloader?

Zscaler recently reported on a newly discovered Zloader variant. Zloader, also known as Terdot, DELoader, and Silent Night, is a modular trojan that is an offshoot of ZeuS. ZeuS is known as one of the most notorious banking trojans to date. Zloader is usually distributed via phishing campaigns or malicious ads.

Zloader was first used in the wild as early as 2015 but gained recognition when it was used in a 2016 campaign targeting German financial institutions. Zloader, under the name Silent Night, was originally offered for sale on a Russian malware forum by the user Axe, who was previously known for the Axebot malware. In 2018, Zloader took a brief hiatus before reemerging in late 2019.

In 2021, a new version of Zloader was observed in the wild. Following an April 2022 takedown, Zloader again seemed to fade into oblivion. However, another new Zloader variant recently emerged. Zscaler analysts note development on the new variant appears to have started in September 2023.

The new Zloader variant includes several changes, such as new obfuscation techniques, an updated DGA, and the use of RSA encryption for C2 communication. It employs several anti-analysis techniques, including API import hashing, junk code, filename checks, and string obfuscation. Additionally, Zloader now has native support for 64-bit versions of Windows. The versions analyzed by Zscaler include version 2.1.6.0 and version 2.1.7.0.

Zscaler analysts noted that all the analyzed samples use the same public RSA key, likely indicating that only one threat actor is currently using the new Zloader variant. 

IOCs

PolySwarm has multiple samples of the new Zloader variant.

 

038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55

16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d

25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d

98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2

d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d

eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499

fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75

2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456

83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3

adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa

b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378

f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb

f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8

f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8

 

You can use the following CLI command to search for all Zloader samples in our portal:

$ polyswarm link list -f Zloader

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Windows, Trojan, Zloader, ZeuS, 64-bit

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts