Security analysts have recently uncovered a resurgence of the ZLoader malware through a new campaign, marking its return almost two years after the takedown of the botnet's infrastructure in April 2022. Zscaler ThreatLabz reported the emergence of a fresh variant of the malware, indicating that its development has been ongoing since September 2023. Notable changes in this version include the introduction of RSA encryption, updates to the domain generation algorithm, and, notably, compilation for 64-bit Windows operating systems, a first for ZLoader. Originally stemming from the Zeus banking trojan in 2015, ZLoader shifted its focus to becoming a loader for subsequent payloads, such as ransomware.
Typically disseminated through phishing emails and malicious ads on search engines, ZLoader faced a significant setback when a coalition of companies, led by Microsoft's Digital Crimes Unit (DCU), seized control of 65 domains instrumental in controlling and communicating with infected hosts. However, the latest iterations of the malware, tracked as versions 2.1.6.0 and 2.1.7.0, demonstrate a renewed sophistication. They incorporate junk code and string obfuscation, making analysis more challenging. Each ZLoader artifact now requires a specific filename for execution on compromised hosts, a tactic aimed at evading malware sandboxes that may rename sample files.
Beyond these evasion techniques, ZLoader's latest versions encrypt the static configuration using RC4 with a hardcoded alphanumeric key, concealing crucial information about the campaign and the command-and-control (C2) servers. Additionally, the malware employs an updated version of the domain generation algorithm as a fallback communication method if primary C2 servers become inaccessible. Analysts emphasize the potential consequences of ZLoader's resurgence, warning that it could lead to a fresh wave of ransomware attacks. This development aligns with a broader trend, as Red Canary recently highlighted an uptick in campaigns leveraging MSIX files to distribute malware since July 2023. Furthermore, new stealer malware families like Rage Stealer and Monster Stealer have emerged, acting as initial access points for information theft and facilitating more severe cyber attacks.
0 comments:
Post a Comment