{
  "name": "Inside Zloader's Latest Trick: DNS Tunneling",
  "slug": "inside-zloaders-latest-trick-dns-tunneling",
  "description": "Zloader, a modular Trojan based on Zeus source code, has introduced new features in version 2.9.4.0 to enhance its anti-analysis capabilities and resilience against detection. Key updates include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting over a dozen commands, and improved anti-analysis techniques. The malware now uses more targeted distribution methods, moving away from large-scale spam campaigns. Technical analysis reveals changes in configuration, environment checks, API resolution, and network communication. The new DNS tunneling feature allows Zloader to encapsulate encrypted TLS traffic through a custom protocol using DNS records, providing an additional layer of obfuscation.",
  "published": "2024-12-11T01:51:38+00:00",
  "created_at": "2024-12-11T01:51:38+00:00",
  "modified_at": "2024-12-11T10:04:06+00:00",
  "created_at_opencti": "2024-12-11T01:51:38+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-11",
    "banking trojan",
    "dns tunneling",
    "ghostsocks",
    "malware evolution",
    "zeus variant",
    "zloader"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.61.152.154"
      },
      {
        "id": "",
        "name": "bigdealcenter.world"
      },
      {
        "id": "",
        "name": "6713bfbe1a8dea1ce0b97a5196762fe327f8da770a06e9aff09fff3a4f07cc14"
      }
    ],
    "malware": [
      {
        "id": "9d08599d-7144-488d-9720-534326c932e2",
        "name": "GhostSocks",
        "slug": "ghostsocks"
      },
      {
        "id": "legacy:malware:b8695e8f1cacd1a8",
        "name": "Zloader",
        "slug": "zloader"
      }
    ],
    "intrusion_sets": [
      {
        "id": "2658adfd-9d77-4f9c-9186-45ed3909932c",
        "name": "Zloader",
        "slug": "zloader"
      }
    ],
    "attack_patterns": [
      {
        "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2",
        "name": "T1071.004"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://securityboulevard.com/2024/12/inside-zloaders-latest-trick-dns-tunneling/",
    "https://otx.alienvault.com/pulse/6758fe3a29e8bd68d2b55da9"
  ]
}