Developers of the malicious ZLoader program, which recently resumed their activity after a two-year break, have introduced a number of new functions inspired by the banking Trojan Zeus. Santiago Vicente, a researcher from Zscaler, detailed in a technical report that the latest version of ZLoader, 2.4.1.0, now includes a function that prevents the program from running on computers that are different from the initially infected ones. This function draws inspiration from the Zeus 2.x source code.
ZLoader, also known as Terdot, Deloader, or Silent Night, made a comeback in September 2023 after being eliminated in early 2022. This modular Trojan loader is capable of downloading and executing a wide range of malicious software. The latest updates to ZLoader include support for the RSA algorithm and updated domain name generation algorithms (DGA).
The new analysis functions integrated into the Trojan restrict the execution of the malicious code to the originally infected computer. Any attempt to run the program on another computer post-infection will cause it to stop immediately. This is achieved through a check in the Windows Registry for a specific key and its value.
Vicente pointed out that if a user manually creates the required key/value pair in the registry or modifies the check, ZLoader will initially run on the new system but will eventually stop after a few instructions due to an additional check in the MZ file header.
Another Zscaler researcher, Kaivalya Hursale, highlighted that hackers distributing ZLoader utilize search engine optimization techniques and phishing sites on platforms like Weebly. These fraudulent sites masquerade as legitimate sources and often appear at the top of search results, increasing the likelihood of unsuspecting users being redirected to malicious websites.
Overall, the continuous efforts of cybercriminals to enhance their malicious creations demonstrate their commitment to protecting their assets and safeguarding their harmful code from cybersecurity experts. These ongoing improvements underscore the crucial need for constant threat monitoring and the development of effective countermeasures within the cybersecurity industry.