NEWS

The ZLoader malware, a variant of the Zeus banking trojan, has resurfaced with active development evidenced by the addition of new features.

Version 2.4.1.0 introduces an anti-analysis feature preventing execution on machines other than the original infection, akin to Zeus 2.X’s anti-analysis mechanism. This evolution follows ZLoader’s reemergence in September 2023 after a two-year hiatus post-takedown in 2022. Recent updates include RSA encryption and domain generation algorithm enhancements.

The anti-analysis feature, present in versions beyond 2.4.1.0, terminates execution if copied to another system post-infection. It relies on a unique Registry key and value generated from a hardcoded seed, alongside a secondary check in the malware’s MZ header. This renders execution on different machines challenging without correct replication of original system parameters.

ZLoader’s stealthy infection approach incorporates tactics like leveraging fraudulent websites hosted on legitimate platforms like Weebly. These sites exploit black hat SEO techniques to rank higher in search results, increasing the likelihood of malware infection when visited inadvertently. Notably, infection proceeds only from certain search engine referrals, not direct access to bogus sites.

In parallel, phishing campaigns targeting organizations in various countries have been observed, distributing Taskun malware, a precursor to Agent Tesla. These campaigns highlight ongoing threats leveraging multiple vectors for malware dissemination and data theft.

In summary, ZLoader’s active development, characterized by anti-analysis measures and stealthy infection techniques, underscores the persistent threat landscape of banking trojans and associated malware. Combined with phishing campaigns utilizing diverse distribution channels, the evolving tactics of threat actors necessitate continuous vigilance and adaptive cybersecurity measures.