Inside Zloader's Latest Trick: DNS Tunneling
Essential information
- Published
- 11/12/2024 02:51
- Modified
- 11/12/2024 11:04
- Tags
- 2024-12-11 banking trojan dns tunneling ghostsocks malware evolution zeus variant zloader
- Related entities
- 3 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 1 others
Description
Zloader, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new DNS tunneling feature allows Zloader to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.