Stealthy ZLoader Malware Resurfaces with Advanced DNS Tunneling Arsenal

Stealthy ZLoader Malware Resurfaces with Advanced DNS Tunneling Arsenal

ZLoader Malware’s Advanced Evolution Raises Cybersecurity Concerns

A new variant of ZLoader malware (version 2.9.4.0) has emerged with enhanced capabilities, particularly in DNS tunneling for command-and-control operations. This sophisticated update follows the malware’s comeback last year, showcasing significant technological advancement.

The latest version introduces several critical improvements, including a custom DNS tunnel protocol for C2 communications, an interactive shell supporting multiple commands, and enhanced ransomware deployment features. Known alternatively as Terdot, DELoader, or Silent Night, ZLoader now incorporates robust anti-analysis features such as domain generation algorithms, host verification mechanisms, and updated API import resolution algorithms.

Recent attack patterns reveal a two-stage deployment process, beginning with GhostSocks payload followed by ZLoader installation. These attacks have been linked to Black Basta ransomware operations, often exploiting remote desktop connections through deceptive tech support scenarios.

Technical advancements include:
– Interactive shell for executing various code types
– Enhanced data exfiltration capabilities
– Process termination functions
– Dual communication channels utilizing HTTPS POST requests and DNS tunneling
– Encrypted TLS network traffic via DNS packets

This evolution positions ZLoader as a sophisticated initial access tool for ransomware operations, with improved detection evasion and operational resilience capabilities.

Share This Article