Security researchers at Zscaler have uncovered a new anti-analysis feature in recent iterations of the Zloader malware (versions 2.4.1.0 and 2.5.1.0), making it significantly more difficult for analysts to study and potentially increasing the threat it poses.
Zloader, known alternatively as Terdot, DELoader, or Silent Night, is derived from the infamous ZeuS trojan whose source code leaked in 2011. After nearly two years of dormancy, Zloader has resurfaced with updated obfuscation techniques, a complex domain generation algorithm (DGA), and enhanced network communication tactics. The recent adaptations include a re-introduced anti-analysis feature from the original ZeuS 2.x code, marking a significant shift in its operational strategy.
How Zloader’s New Defenses Work
The latest iteration of Zloader, versions 2.4.1.0 and 2.5.1.0, has reintroduced and modified an anti-analysis mechanism that prevents the trojan’s execution on any system other than the one originally infected. This mechanism involves several sophisticated checks:
- Registry Check: Zloader now checks the Windows registry for a specific key and value, generated using a sample-specific seed. If these are not found, the malware terminates, preventing execution on machines other than the initial victim.
- MZ Header Check: A secondary check within the MZ header verifies that a DWORD value, acting as a pointer to a seed offset, has been properly initialized. Only the initially infected machine will have this value set up correctly.
Comparison with ZeuS’s Original Implementation
Zloader’s technique mirrors some aspects of the ZeuS trojan’s approach but with distinct differences. In ZeuS, critical installation data was stored in an encrypted overlay section called PeSettings, unlike Zloader’s use of the Windows registry and specific binary manipulations.
ZeuS would exit immediately if discrepancies were detected between the installation information stored in PeSettings and the current environment, thus preventing execution on any system other than where it was initially installed. This method, while similar in intent to Zloader’s, showcases different technical executions of the anti-analysis feature.
Challenges for Security Teams
Zloader’s defenses make it exceptionally difficult to examine the malware outside of its original target system. This hinders the creation of effective signatures and limits understanding of evolving capabilities. The emphasis on a single infected machine implies Zloader may be used for more focused attacks, customizing its payload to a specific victim’s environment.
