Summary:
Zscaler’s ThreatLabz team has uncovered a new version of ZLoader (2.9.4.0), that features an interactive shell for hands-on keyboard activity and a Domain Name System tunnel for C2 communications. The interactive shell enables operators to execute arbitrary binaries and shellcode, exfiltrate data, terminate processes, and perform a wide range of other malicious actions. Zscaler notes that these capabilities may be particularly attractive to ransomware actors, who could use them to deploy encryptors and exfiltrate valuable data from compromised environments. Additionally, ZLoader’s anti-analysis techniques have been further refined. These include advanced environment checks and API import resolution algorithms designed to thwart malware sandboxes and static signature-based detection methods, enabling the malware to evade detection for extended periods. A key update in this version is the enhancement to its C2 communication capabilities. While ZLoader continues to rely on HTTPS POST requests as the primary method for C2 communications, it now also incorporates DNS tunneling to encrypt TLS network traffic within DNS packets, making it harder to detect and mitigate.

Security Officer Comments:
ZLoader is a modular Trojan derived from the Zeus banking Trojan, whose source code was leaked in 2015. Initially designed as a banking Trojan, ZLoader has since evolved and been repurposed as a tool for initial access, enabling cybercriminals to breach corporate environments and facilitate the deployment of ransomware. Recently, ZLoader has become increasingly linked to Black Basta ransomware campaigns, playing a crucial role in the successful delivery of Black Basta’s encryptor within compromised networks. According to Zscaler, attackers typically impersonate help desk support to deceive employees into initiating connections through remote monitoring and management tools such as AnyDesk, TeamViewer, and Microsoft Assist. Once a connection is established, the attackers deploy a malware variant called GhostScocks, which in turn installs ZLoader, ultimately leading to the deployment of Black Basta ransomware.

Suggested Corrections:
In general, employees should be educated on the dangers of unsolicited remote support requests and trained to verify the legitimacy of such communications. Additionally, restricting the use of remote monitoring and management tools to trusted personnel, and implementing multi-factor authentication for accessing sensitive systems can help prevent unauthorized connections. Regularly updating software, employing network segmentation, and monitoring DNS traffic for unusual patterns can further reduce the likelihood of successful Zloader attacks.

Link(s):
https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling