Summary:
Rsearchers at Zscaler have uncovered a new campaign that is delivering a new variant ZLoader malware to targeted systems. This variant is said to have been in development since September 2023 and contains significant changes to the loader module, which added RC4 encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time. Similar to previous versions, the latest versions of ZLoader malware (versions 2.1.6.0 and 2.1.7.0) utilize custom obfuscation, where the junk code is incorporated consisting of various arithmetic operations. Furthermore, these versions also use a combination of API import hashing and string encryption to hinder malware analysis from security researchers.

Security Officer Comments:
The development comes after security researchers initiated a takedown operation to dismantle Zloader’s infrastructure in April 2022. With Zloader now reemerging with new obfuscation techniques and an updated domain generation algorithm, this will make it challenging for defenders to detect and deter potential attacks employing the malware. Given Zloader’s return, we will likely see the loader being used to deploy ransomware and other malicious payloads as seen in the past.

Suggested Corrections:
Zloader is typically distributed via phishing emails and through malicious ads on Google. In general, users should be careful not to click on links or attachments in emails from unknown senders and avoid search results on Google that are labeled as “sponsored.”

IOCs:
https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night

Link(s):
https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html