Threat hunters have identified a new campaign that offers the ZLoader malware, which resurfaced nearly two years after the botnet infrastructure was dismantled in April 2022.
A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month.
“The new version of Zloader has made significant changes to the loader module, which has added RSA encryption, updated the domain generation algorithm, and is now compiled for the first time for 64-bit Windows operating systems,” they said researchers Santiago Vicente and Ismael Garcia Perez.
ZLoader, also known by the names Terdot, DELoader or Silent Night, is a branch of the Zeus banking Trojan that first emerged in 2015, before becoming a loader for later-stage payloads, including ransomware.
Typically distributed via phishing emails and malicious search engine ads, ZLoader took a hit after a group of companies led by Microsoft’s Digital Crimes Unit (DCU) took control of 65 domains used to control and communicate with infected hosts.
The latest versions of the malware, identified as 2.1.6.0 and 2.1.7.0, incorporate junk code and string obfuscation to resist analysis efforts. Each ZLoader artifact is also expected to have a specific file name to run on the compromised host.
“This could evade malware sandboxes that rename sample files,” the researchers noted.
In addition to encrypting the static configuration using RC4 with a hardcoded alphanumeric key to hide information related to the campaign name and command and control (C2) servers, the malware was observed to rely on an updated version of the domain generation algorithm as a fallback measure in case the primary C2 servers are inaccessible.
The backup communication method was first observed in ZLoader version 1.1.22.0, which was released as part of phishing campaigns detected in March 2020.
“Zloader has been a significant threat for many years and its return will likely lead to new ransomware attacks,” the researchers said. “The operational takedown temporarily stopped the activity, but not the threatening group behind it.”
The development comes as Red Canary warned of an increase in the volume of campaigns exploiting MSIX files to deliver malware such as NetSupport RAT, ZLoader and FakeBat (aka EugenLoader), starting in July 2023, prompting Microsoft to disable the protocol handler by default default at the end of December 2023.
It also follows the emergence of new stealer malware families such as Rage Stealer and Monster Stealer that are used as an initial entry path for information theft and as a launching pad for more serious cyberattacks.