EXECUTIVE SUMMARY
Zloader is a trojan that started as a tool for stealing banking data and has since been turned into a general access tool used to get into corporate networks and help install ransomware. Recent builds show the authors focused on hiding activity and making the code harder to study. The malware now uses more layers of simple code hiding, checks the running process level before it runs, and requires certain filenames or accepts a couple of generic ones to avoid automated analysis. It is not spread widely at random; instead, it is used in a small number of targeted intrusions, which makes samples rare. Network communication has also changed to be less obvious. Where it once used standard encrypted channels, newer versions use custom ways to hide commands and data inside normal-looking traffic and can upgrade connections, so they look like regular web traffic. The interactive control shell has new commands that help find other machines and move across a network.
Several specific changes make the latest builds harder to analyze and detect. The malware moved from a strict filename check to accepting two generic names such as Updater.exe and Updater.dll so operators have more flexibility when deploying or updating it. Code hiding was increased by adding multiple simple XOR-style decoding steps that must be reversed before the real logic is visible. The program checks the process integrity level and will avoid running or will install to a user folder when it sees elevated rights, a behavior meant to avoid sandbox environments that run samples with high privileges. Static settings for command servers were reorganized so server names and DNS entries live in a compact JSON-like block, and placeholder entries are used to confuse automated parsers. The DNS tunnel used for command and control was reworked: it now layers Base32 encoding over a custom decode key based on a short random value and a hardcoded number, then uses familiar payload encryption steps including a visual encrypt routine, an RC4 key for the payload, and a public key to protect that RC4 key. The malware also dropped its old domain generation step and added support for upgraded web connections so traffic can blend in with normal web use. New shell functions include directory and LDAP-style queries to find targets on a network and run payloads or shellcode, expanding how operators can move laterally.
Zloader has moved from a narrow banking tool into a quiet but capable access tool used to enter and map networks for follow-on attacks. It now focuses on hiding itself, avoiding easy analysis, and giving operators ways to discover other machines and hand off access. The shift away from broad spread to a targeted approach means defenders see it less often but face deeper compromises when it does appear. Key signs of this shift include added filename flexibility, extra obfuscation layers, checks for process level before installing, compact static config formats, custom DNS tunnel changes, and new network discovery commands. Together these updates make the malware better at staying out of view and supporting later stages of an attack rather than causing loud, fast infections. Because it is used selectively, defenders who do encounter it are likely dealing with a focused intrusion where the intruder aims to keep access and expand control quietly rather than cause a quick, noisy outbreak.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566 | Phishing | – |
| Initial Access | T1204 | User Execution | – |
| Execution | T1059 | Command and Scripting Interpreter | – |
| Persistence | T1547 | Boot or Logon Autostart Execution | – |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Defense Evasion | T1036 | Masquerading | – |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | – |
| Discovery | T1046 | Network Service Discovery | – |
| Lateral Movement | T1021 | Remote Services | – |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
| Impact | T1486 | Data Encrypted for Impact | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Defense Evasion | F0015.001 | Export Address Table Hooking |
| Anti-Static Analysis | E1027.m03 | Encoding - Custom Algorithm |
| Anti-Behavioral Analysis | B0001.008 | IsDebuggerPresent |
| Command and Control | C0002.002 | HTTP Communication (Client) |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Credential Access | C0051 | Read File |
| Collection | F0002.002 | Keylogging (Polling) |
| Discovery | E1082.m02 | Enumerate Environment Variables |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Execution | E1055.001 | Dynamic-link Library Injection |
REFERENCES:
The following reports contain further
https://securityonline.info/zloader-resurfaces-stealthier-trojan-evolves-with-dns-tunneling-and-websocket-c2/
https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-updates