easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114Introduction<\/p>\n
Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader\u2019s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as \u201cSilent Night\u201d, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version 2.0.0.0 around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity.<\/p>\n
After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number 2.0.0.0. However, over the past several months, they released version 2.1.6.0 and 2.1.7.0. In this blog, we will explore these new updates to Zloader.
\nKey Takeaways<\/p>\n
\tZloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name \u201cSilent Night\u201d since the end of 2019.
\n\tZloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers.
\n\tThe new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.
\n\tZloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis.<\/p>\n
Technical Analysis<\/p>\n
In the following sections, we dive into the technical details surrounding Zloader\u2019s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption.<\/p>\n
Anti-analysis techniques<\/p>\n
Zloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique.<\/p>\n
Imports and API resolution<\/p>\n
The newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below.<\/p>\n
Code sample available on GitHub.<\/p>\n
Junk code <\/p>\n
Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below.<\/p>\n
Figure 1. Example Zloader 2.1 junk code<\/p>\n
In Figure 1, the instructions inside the red box are the junk code.<\/p>\n
Anti-sandbox<\/p>\n
Each Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe.<\/p>\n
Figure 2. Example of Zloader\u2019s anti-analysis filename check<\/p>\n
ThreatLabz has observed Zloader use the following filenames:<\/p>\n
\tCodeForge.exe
\n\tCyberMesh.exe
\n\tEpsilonApp.exe
\n\tFusionBeacon.exe
\n\tFusionEcho.exe
\n\tIonBeacon.dll
\n\tIonPulse.exe
\n\tKineticaSurge.dll
\n\tQuantumDraw.exe
\n\tSpectraKinetic.exe
\n\tUltraApp.exe<\/p>\n
String obfuscation<\/p>\n
Similar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware\u2019s important strings such as registry paths, DLL names, and the DGA\u2019s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below:<\/p>\n
Code sample available on GitHub. <\/p>\n
The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below.<\/p>\n
Figure 3. Example string obfuscation key used by Zloader<\/p>\n
A list of Zloader\u2019s obfuscated strings is shown in the Appendix.<\/p>\n
Static configuration encryption and structure<\/p>\n
The Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware.<\/p>\n
An example Zloader static configuration is shown below.<\/p>\n
Domain generation algorithm<\/p>\n
When the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader\u2019s new DGA algorithm is shown below.<\/p>\n
Code sample available on GitHub.<\/p>\n
The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the \u201c.com\u201d TLD.<\/p>\n
Network communications<\/p>\n
Zloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus \u201cvisual encryption\u201d algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4:<\/p>\n
Figure 4. Zloader BinStorage object for a hello message (prior to encryption)<\/p>\n
The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1.<\/p>\n
\t\t\tValue (Decimal)
\n\t\t\tValue (Hexadecimal)
\n\t\t\tDescription<\/p>\n
\t\t\t10002
\n\t\t\t0x2712
\n\t\t\tBotnet ID<\/p>\n
\t\t\t10025
\n\t\t\t0x2729
\n\t\t\tCampaign ID<\/p>\n
\t\t\t10001
\n\t\t\t0x2711
\n\t\t\tBot ID<\/p>\n
\t\t\t10003
\n\t\t\t0x2713
\n\t\t\tMalware version<\/p>\n
\t\t\t10006
\n\t\t\t0x2716
\n\t\t\tUnknown flag (set to 0x1)<\/p>\n
Table 1. Zloader BinStorage hello message fields<\/p>\n
ThreatLabz has observed samples containing the following botnet IDs:<\/p>\n
\tBing_Mod2
\n\tBing_Mod3
\n\tBing_Mod4
\n\tBing_Mod5<\/p>\n
All of the campaign IDs have been set to the value M1.
\nConclusion<\/p>\n
Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis. <\/p>\n
Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
\nZscaler Coverage<\/p>\n
In addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names:<\/p>\n
\tWin64.Downloader.Zloader<\/p>\n
Indicators Of Compromise (IOCs)<\/p>\n
\t\t\tSHA256
\n\t\t\tDescription<\/p>\n
\t\t\t038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55
\n\t\t\tZloader sample<\/p>\n
\t\t\t16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d
\n\t\t\tZloader sample<\/p>\n
\t\t\t25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d
\n\t\t\tZloader sample<\/p>\n
\t\t\t2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456
\n\t\t\tZloader sample<\/p>\n
\t\t\t83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3
\n\t\t\tZloader sample<\/p>\n
\t\t\t98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2
\n\t\t\tZloader sample<\/p>\n
\t\t\tadbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa
\n\t\t\tZloader sample<\/p>\n
\t\t\tb206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93
\n\t\t\tZloader sample<\/p>\n
\t\t\tb47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378
\n\t\t\tZloader sample<\/p>\n
\t\t\td92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d
\n\t\t\tZloader sample<\/p>\n
\t\t\teb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499
\n\t\t\tZloader sample<\/p>\n
\t\t\tf03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb
\n\t\t\tZloader sample<\/p>\n
\t\t\tf6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8
\n\t\t\tZloader sample<\/p>\n
\t\t\tfa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616
\n\t\t\tZloader sample<\/p>\n
\t\t\tfbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75
\n\t\t\tZloader sample<\/p>\n
\t\t\tURL
\n\t\t\tDescription<\/p>\n
\t\t\thttps:\/\/adslstickerhi[.]world
\n\t\t\tZloader C2<\/p>\n
\t\t\thttps:\/\/adslstickerni[.]world
\n\t\t\tZloader C2<\/p>\n
\t\t\thttps:\/\/dem.businessdeep[.]com
\n\t\t\tZloader C2<\/p>\n
Appendix<\/p>\n
Tools<\/p>\n
The code snippets in this blog have also been uploaded to our GitHub tools repository here.<\/p>\n
Decoded strings<\/p>\n
\t\t\tuser32.dll<\/p>\n
\t\t\tnbsp;<\/p>\n
\t\t\t%s<\/p>\n
\t\t\treg add HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun \/f \/t REG_SZ \/v %s \/d “%s”<\/p>\n
\t\t\twininet.dll<\/p>\n
\t\t\ttd<\/p>\n
\t\t\ttr<\/p>\n
\t\t\tbr<\/p>\n
\t\t\tSoftwareMicrosoft<\/p>\n
\t\t\th3<\/p>\n
\t\t\tLocal<\/p>\n
\t\t\thr<\/p>\n
\t\t\tPOST<\/p>\n
\t\t\tgdiplus.dll<\/p>\n
\t\t\tNtWriteVirtualMemory<\/p>\n
\t\t\thttps:\/\/<\/p>\n
\t\t\t*<\/p>\n
\t\t\t??<\/p>\n
\t\t\tntdll.dll<\/p>\n
\t\t\tws2_32.dll<\/p>\n
\t\t\t_alldiv<\/p>\n
\t\t\tNtProtectVirtualMemory<\/p>\n
\t\t\tNtGetContextThread<\/p>\n
\t\t\tshell32.dll<\/p>\n
\t\t\t%s %s<\/p>\n
\t\t\tpsapi.dll<\/p>\n
\t\t\tcrypt32.dll<\/p>\n
\t\t\tS-1-15<\/p>\n
\t\t\tABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/<\/p>\n
\t\t\t_aulldiv<\/p>\n
\t\t\t“%s”<\/p>\n
\t\t\tsamlib.dll<\/p>\n
\t\t\tS:(ML;CIOI;NRNWNX;;;LW)<\/p>\n
\t\t\tNtCreateThreadEx<\/p>\n
\t\t\tregsvr32.exe \/s “%s”<\/p>\n
\t\t\tNtResumeThread<\/p>\n
\t\t\tbcrypt.dll<\/p>\n
\t\t\tnetapi32.dll<\/p>\n
\t\t\tRtlGetVersion<\/p>\n
\t\t\tstrtoul<\/p>\n
\t\t\twinsta.dll<\/p>\n
\t\t\twldap32.dll<\/p>\n
\t\t\tNtReadVirtualMemory<\/p>\n
\t\t\tBasic<\/p>\n
\t\t\t0:0<\/p>\n
\t\t\tversion.dll<\/p>\n
\t\t\th2<\/p>\n
\t\t\tInstallDate<\/p>\n
\t\t\th5<\/p>\n
\t\t\tNtAllocateVirtualMemory<\/p>\n
\t\t\t.com<\/p>\n
\t\t\tcabinet.dll<\/p>\n
\t\t\tS:(ML;;NRNWNX;;;LW)<\/p>\n
\t\t\tli<\/p>\n
\t\t\tkernel32.dll<\/p>\n
\t\t\t%stmp_%08x<\/p>\n
\t\t\th6<\/p>\n
\t\t\taeiouy<\/p>\n
\t\t\tdiv<\/p>\n
\t\t\trpcrt4.dll<\/p>\n
\t\t\t Microsoft Security Blog\u00a0<\/p>\n
\t\t\tiphlpapi.dll<\/p>\n
\t\t\tmpr.dll<\/p>\n
\t\t\tC:WindowsSystem32ntdll.dll<\/p>\n
\t\t\tConnection: close<\/p>\n
\t\t\tgdi32.dll<\/p>\n
\t\t\tC:WindowsSystem32msiexec.exe<\/p>\n
\t\t\tGlobal<\/p>\n
\t\t\twtsapi32.dll<\/p>\n
\t\t\tNtCreateUserProcess<\/p>\n
\t\t\tshlwapi.dll<\/p>\n
\t\t\tRtlUserThreadStart<\/p>\n
\t\t\t%s<\/p>\n
\t\t\tNtOpenProcess<\/p>\n
\t\t\tHTTP\/1.1<\/p>\n
\t\t\tncrypt.dll<\/p>\n
\t\t\tINVALID_BOT_ID<\/p>\n
\t\t\t_aullrem<\/p>\n
\t\t\tSoftwareMicrosoftWindowsCurrentVersionRun<\/p>\n
\t\t\tdnsapi.dll<\/p>\n
\t\t\tole32.dll<\/p>\n
\t\t\t.dll<\/p>\n
\t\t\tC:WindowsSysWOW64msiexec.exe<\/p>\n
\t\t\tbcdfghklmnpqrstvwxz<\/p>\n
\t\t\tftllib.dll<\/p>\n
\t\t\tUser metrics<\/p>\n
\t\t\tThreadStart<\/p>\n
\t\t\tMSIMG32.dll<\/p>\n
\t\t\t*<\/p>\n
\t\t\tJKLMNOPQRSTUVW$$$$$$XYZ[]^_`abcdefghijklmnopq<\/p>\n
\t\t\th1<\/p>\n
\t\t\tNtSetContextThread<\/p>\n
\t\t\t*\/*<\/p>\n
\t\t\tGET<\/p>\n
\t\t\tuserenv.dll<\/p>\n
\t\t\turlmon.dll<\/p>\n
\t\t\tSoftwareMicrosoftWindows NTCurrentVersion<\/p>\n
\t\t\t_ThreadStart@4<\/p>\n
\t\t\tdxgi.dll<\/p>\n
\t\t\tNtOpenSection<\/p>\n
\t\t\tscript<\/p>\n
\t\t\t\/post.php<\/p>\n
\t\t\tadvapi32.dll<\/p>\n
\t\t\th4<\/p>\n
\t\t\tsecur32.dll<\/p>\n
\t\t\timagehlp.dll<\/p>\n
\t\t\t%s_%s_%X<\/p>\n
\t\t\twinscard.dll<\/p>\n
References<\/p>\n
1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users<\/p>\n
2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware <\/p>","protected":false},"excerpt":{"rendered":"
Introduction Zloader (aka Terdot, DELoader, or Silent Night), is a […]<\/p>\n","protected":false},"author":0,"featured_media":2185,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n