216.73.217.80

Inside Zloader's Latest Trick: DNS Tunneling

· Published 11/12/2024 02:51 · Modified 11/12/2024 11:04

Export JSON

Essential information

Published
11/12/2024 02:51
Modified
11/12/2024 11:04
Tags
2024-12-11 banking trojan dns tunneling ghostsocks malware evolution zeus variant zloader
Related entities
3 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 1 others

Description

, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new feature allows to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.

External references