Zloader Trojan Employs Novel DNS Tunneling Protocol for Enhanced Evasion

by do son ·

Chinese espionage groups

Zloader, the modular Trojan with roots in the infamous Zeus malware, has once again evolved, presenting a new and sophisticated challenge to cybersecurity professionals. ThreatLabz, the security research team at Zscaler, has uncovered a fresh iteration of Zloader (version 2.9.4.0), which introduces a custom DNS tunneling protocol for command-and-control (C2) communications.

First emerging in 2015, Zloader (also known as Terdot, DELoader, or Silent Night) was initially designed to facilitate banking fraud through Automated Clearing House (ACH) and wire transfers. Over the years, like its counterparts Qakbot and Trickbot, it has been repurposed as an initial access broker, paving the way for ransomware deployments within corporate environments. Following a two-year hiatus, Zloader reappeared in the cyber threat landscape last year with enhancements to its obfuscation, anti-analysis techniques, and network communication strategies.

ThreatLabz’s latest findings reveal that Zloader’s newest version has taken these capabilities to the next level. The report states, “Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks.”

DNS tunneling protocol

Example Zloader attack chain | Source: ThreatLabz

One of the most striking updates in Zloader’s latest version is the use of a custom DNS tunneling protocol. This mechanism allows the malware to encapsulate encrypted TLS traffic within DNS requests, effectively bypassing traditional web traffic monitoring tools. Unlike many other malware families, Zloader constructs and parses DNS packets independently, without relying on third-party libraries or Windows APIs.

Each DNS request follows a specific format:

[prefix].[header].[payload].[zloader_nameserver_domain]

The payload, which can include TLS client hello messages, is fragmented into multiple packets to comply with DNS protocol limitations. The use of DNS tunneling, combined with Zloader’s anti-analysis features, makes detecting its C2 traffic exceedingly difficult. ThreatLabz notes, “The most significant update to Zloader’s C2 communication is the addition of DNS tunneling…larger messages must be fragmented and sent in multiple packets.”

Zloader 2.9.4.0 also has significant improvements to its anti-analysis techniques. By refining its environment checks and API import resolution algorithms, the malware evades sandboxing and static detection mechanisms. ThreatLabz highlights, “Zloader’s anti-analysis techniques such as environment checks and API import resolution algorithms continue to be updated to evade malware sandboxes and static signatures.”

Furthermore, the malware now includes an interactive shell that provides threat actors with an array of capabilities, including executing binaries, exfiltrating data, and running shellcode. These enhancements reinforce Zloader’s role as a powerful tool for ransomware operators.

ThreatLabz’s research indicates a shift in Zloader’s distribution methods. Large-scale spam campaigns have been replaced with more targeted approaches, such as leveraging Remote Monitoring and Management (RMM) tools like AnyDesk and TeamViewer. Additionally, Zloader’s botnets are increasingly tied to Black Basta ransomware campaigns, further cementing its status as a key enabler of ransomware attacks.

The resurgence of Zloader with its advanced DNS tunneling capabilities poses a significant challenge for defenders. Traditional web traffic monitoring is no longer sufficient; organizations must also scrutinize DNS-based communications for anomalies. ThreatLabz advises, “With the latest Zloader updates, organizations must ensure that they are inspecting not only web-based traffic, but also DNS-based network traffic.”

Related Posts:

Tags: DELoaderDNS tunnelingDNS tunneling protocolSilent NightTerdotZloaderZloader 2.9.4.0