Full Report
Cybersecurity researchers have discovered a new version of the ZLoader malware that employs a Domain Name System (DNS) tunnel for command-and-control (C2) communications, indicating that the threat actors are continuing to refine the tool after resurfacing a year ago. "Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell
Analysis Summary
# Tool/Technique: ZLoader Malware (Variant 2.9.4.0)
## Overview
ZLoader (also known as Terdot, DELoader, or Silent Night) is a sophisticated malware loader that acts as a dropper for next-stage payloads. The newly discovered variant (2.9.4.0) showcases advancements primarily focused on stealth, leveraging a custom DNS tunnel protocol for Command and Control (C2) communications and incorporating enhanced anti-analysis techniques. It is frequently associated with the deployment of Black Basta ransomware.
## Technical Details
- Type: Malware family (Malware Loader)
- Platform: Windows (Implied, as ZLoader typically targets Windows systems)
- Capabilities: Deploying next-stage payloads, C2 communication via DNS tunneling, interactive shell, evasion of analysis.
- First Seen: The base ZLoader malware resurfaced in September 2023 after infrastructure takedowns. The specific variant 2.9.4.0 information was reported in December 2024.
## MITRE ATT&CK Mapping
The primary focus of this latest variant is evasion and C2 communication:
- **Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.004 - DNS Protocol (Specifically leveraging DNS tunneling)
- **Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by ongoing updates to evasion techniques)
- T1484 - Domain Generation Algorithms (DGA usage mentioned)
## Functionality
### Core Capabilities
- **Payload Delivery:** Functions as a loader capable of dropping subsequent malicious payloads.
- **Anti-Analysis:** Continuously updated environmental checks and API import resolution algorithms designed to frustrate malware sandboxes and static signature detection.
- **Persistence/Evasion:** Employs Domain Generation Algorithms (DGA) and checks for host configuration to ensure execution only on intended targets (a technique inherited from its Zeus lineage).
### Advanced Features
- **DNS Tunneling C2:** Utilizes a custom DNS tunnel protocol for C2 communications, providing enhanced stealth and resilience against detection/mitigation, as DNS traffic is often less scrutinized than HTTP/S.
- **Interactive Shell:** Includes an interactive shell capable of processing over a dozen commands, suggesting robust remote management features potentially beneficial for subsequent activities like ransomware deployment.
- **GhostSocks Pre-Stage:** In some observed attack chains associated with Black Basta, ZLoader deployment is preceded by the deployment of a component named **GhostSocks**, which then facilitates the dropping of ZLoader.
## Indicators of Compromise
*No specific hashes, registry keys, or network indicators were provided in the text, only behavioral and tool-based indicators.*
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: Communications heavily rely on DNS tunneling using a custom protocol. (Defanged C2s: [Not specified])
- Behavioral Indicators: Execution of GhostSocks preceding ZLoader execution; complex environment checks and API resolution behavior.
## Associated Threat Actors
- Threat actors distributing ZLoader are increasingly associated with **Black Basta ransomware** attacks.
- Distribution observed via remote desktop connections disguised as tech support remediation.
## Detection Methods
- Signature-based detection: Challenged by constantly updated anti-analysis techniques (environment checks, resolution algorithms).
- Behavioral detection: Detection should focus on unusual DNS query volumes or query structures indicative of tunneling protocols, and suspicious process chains involving GhostSocks deploying ZLoader.
- YARA rules: [Not specified]
## Mitigation Strategies
- Prevention measures: Implement robust DNS monitoring to detect anomalous tunneling activity.
- Hardening recommendations: Strictly control remote desktop access and scrutinize unexpected requests for technical support remediation that lead to file execution. Focus on hardening against initial access vectors used by associated ransomware groups.
## Related Tools/Techniques
- Zeus banking trojan (ZLoader is based on this trojan).
- GhostSocks (Precursor component in some observed attack chains).
- Black Basta ransomware (Target payload/associated threat).
- Domain Generation Algorithm (DGA) usage.