Related Families: ZeuS
A new variant of the modular trojan Zloader was recently identified. The new variant has been in development since September 2023.
- A new variant of Zloader was recently identified.
- Zloader is a modular trojan that is an offshoot of Zeus.
- The new Zloader variant has multiple upgrades, including new obfuscation techniques, an updated DGA, and use of encrypted C2 communication.
- The new Zloader variant has native support for 64-bit versions of Windows.
What is a Zloader?
Zscaler recently reported on a newly discovered Zloader variant. Zloader, also known as Terdot, DELoader, and Silent Night, is a modular trojan that is an offshoot of ZeuS. ZeuS is known as one of the most notorious banking trojans to date. Zloader is usually distributed via phishing campaigns or malicious ads.
Zloader was first used in the wild as early as 2015 but gained recognition when it was used in a 2016 campaign targeting German financial institutions. Zloader, under the name Silent Night, was originally offered for sale on a Russian malware forum by the user Axe, who was previously known for the Axebot malware. In 2018, Zloader took a brief hiatus before reemerging in late 2019.
In 2021, a new version of Zloader was observed in the wild. Following an April 2022 takedown, Zloader again seemed to fade into oblivion. However, another new Zloader variant recently emerged. Zscaler analysts note development on the new variant appears to have started in September 2023.
The new Zloader variant includes several changes, such as new obfuscation techniques, an updated DGA, and the use of RSA encryption for C2 communication. It employs several anti-analysis techniques, including API import hashing, junk code, filename checks, and string obfuscation. Additionally, Zloader now has native support for 64-bit versions of Windows. The versions analyzed by Zscaler include version 22.214.171.124 and version 126.96.36.199.
Zscaler analysts noted that all the analyzed samples use the same public RSA key, likely indicating that only one threat actor is currently using the new Zloader variant.
PolySwarm has multiple samples of the new Zloader variant.
You can use the following CLI command to search for all Zloader samples in our portal:
$ polyswarm link list -f Zloader