Pierluigi Paganini May 03, 2024

Zloader continues to evolve, its authors added an anti-analysis feature that was originally present in the Zeus banking trojan.

Zloader (aka Terdot, DELoader, or Silent Night) is a modular trojan based on the leaked ZeuS source code. After a hiatus of almost two years, Zloader reappeared with new obfuscation techniques, domain generation algorithm (DGA), and network communication.

Recently, its authors reintroduced an anti-analysis feature similar to the one implemented in the original ZeuS 2.x code. This feature prevents malware execution outside the infected machine, a feature that had been abandoned by many malware variants that borrow the Zeus leaked source code.

“Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus.” reads the analysis published by Zscaler. “The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection. A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently.”

Zloader samples with versions greater than 2.4.1.0 will abruptly terminate if they are copied and executed on another system after the initial infection. The malware implements this feature by checking a specific key/value in the Windows registry.

Each sample generates the registry key and value based on a unique hardcoded seed.

“If the registry key/value pair is manually created (or this check is patched), Zloader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions.” continues the analysis. “This is due to a secondary check in Zloader’s MZ header.”

Zscaler observed that Zloader’s method of storing installation data to evade detection shows similarities to Zeus version 2.0.8, albeit with a different implementation. Instead of using the Registry, Zloader uses a data structure called PeSettings to store its configuration.

The anti-analysis technique implemented in Zloader makes the malicious code harder to detect and analyze.

“In recent versions, Zloader has adopted a stealthy approach to system infections. This new anti-analysis technique makes Zloader even more challenging to detect and analyze. The samples analyzed by ThreatLabz have all been pre-initialized, suggesting a more targeted distribution strategy.” concludes the report.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)