Analysis Summary

The developers of the recently revived ZLoader malware have incorporated a function from the original Zeus banking trojan it is derived from, suggesting ongoing development. The most recent update, version 2.4.1.0, includes a function to stop running on computers that are not the same as the initial infection.

The leaked Zeus 2.X source code also had a comparable anti-analysis feature, although it was executed differently. ZLoader, known by various names like Terdot, DELoader, or Silent Night, reappeared in September 2023 after being inactive for almost two years since it was taken down in early 2022. It is a modular trojan that can load next-stage payloads, with newer versions of the malware including RSA encryption and improvements to its domain generation algorithm (DGA).

The most recent development in ZLoader's progression is an anti-analysis trait that limits the binary's operation to the compromised device. The characteristic, found in artifacts with versions higher than 2.4.1.0, results in the malware suddenly stopping if they are copied and run on a different system after the initial infection. This is done by checking the Windows Registry for a particular key and value.

The generated Registry key and value are created using a unique hardcoded seed for each sample. If the Registry key/value pair is not manually created (or this check is fixed), ZLoader will be able to inject itself into a new process. Nevertheless, it will stop once more after carrying out just a handful of commands. This is a result of an additional validation in ZLoader's MZ header.

This indicates that ZLoader's operation will be delayed on another device unless the seed and MZ header values are configured accurately and all Registry and disk paths/names from the initially compromised system are duplicated. Researchers noted that ZLoader stores installation data to prevent running on a different host, similar to Zeus version 2.0.8, but implemented differently by using PeSettings to store configuration instead of the Registry.

In recent updates, ZLoader has embraced a covert method for infecting systems. This fresh anti-analysis method adds a layer of complexity to identifying and examining ZLoader. The situation arises as malicious actors are using fake websites on well-known platforms such as Weebly to distribute malware that steals information through unethical SEO tactics.

This propels their deceptive website to the top of a user's search results, raising the chances of unknowingly clicking on a harmful website and potentially contaminating their system with malware. One important feature of these campaigns is that the malware only moves on to the next phase of delivering the harmful payload if the user comes from search engines such as Google, Bing, DuckDuckGo, Yahoo, or AOL, and does not directly visit the fake websites.

Impact

• Security Bypass
• Command Execution
• Sensitive Information Theft

Indicators of Compromise

MD5

• 350cecbee06bc8fd89820d2095a0fb02
• b341ac1a1a31d085c9ffdfd4b83c88b8
• 57f59d6ad2fb3216ed769eab61939e73
• f477f5fbc95bbde03a24cf42f6751afa

SHA-256

• cba9578875a3e222d502bb6a85898939bb9e8e247d30fcc0d44d83a64919f448
• 85962530c71cd31c102853d64a8829f93b63bd1406bdec537b9d8c200f8f0bcc
• b1a6bf93d4ee659db03e51a3765d4d3c2ee3f1b56bd9b701ab5939d63f57d9ee
• 85b1a980eb8ced59f87cb5dd7702e15d6ca38441c4848698d140ffd37d2b55e6

SHA-1

• ef1e5b9cbd5c3cc08933a643719a7069694e7d62
• d6b65528e706585bba33060ef36b15c41c7c38db
• 4d51fc3508bd3e2d772c7052867b88d941ce8d2d
• ae5a1b7a21fecf571d037baf85069d5b58b107ba

URL

• https://eingangfurkunden.digital/
• https://citscale.com/api.php
• https://adslsdfdsfmo.world/
• https://gycltda.cl/home/wp-api.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
• Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
• Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
• Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
• Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
• Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
• Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.