ZLoader

Description

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (→ Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded. The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Names

Name
ZLoader
Terdot
DELoader

Category

Malware

Type

• Botnet
• Downloader

Information

• https://threatvector.cylance.com/en_us/home/threat-spotlight-terdot-a-zloader-malicious-downloader.html
• https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html
• https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/
• https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks
• https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
• https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware
• https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/
• https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns
• https://blog.checkpoint.com/2020/06/04/coronavirus-update-not-the-type-of-cv-youre-looking-for/
• https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed
• https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
• https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/
• https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/
• https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
• https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems
• https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
• https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks
• https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:Zloader

Other Information

Uuid

fb0df443-6978-48d9-ab3e-4f3f88aa3b92

Last Card Change

2024-12-27