www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1c4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
Submission: On January 23 via api from DE — Scanned from DE
Submission: On January 23 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM<form class="topSearch_searchInputWrapper__n8dSG" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__E0Bk3" placeholder="What are you looking for?" aria-label="What are you looking for?"
aria-hidden="true" tabindex="-1" value=""></form>
<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>
<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>
Text Content
This site uses JavaScript to provide a number of functions, to use this site please enable JavaScript in your browser. Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN Find out more Close OpenSearch CXO REvolutionariesCareersPartnersSupport ShowContact UsOptions Get in touch1-408-533-0288Chat with us ShowSign InOptions admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler Private Access Home The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany Request a demoopen search open navigation The Zscaler Experience Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE) Get the full report Your world, secured Experience the transformative power of zero trust. The Zscaler Difference The Zscaler Difference Experience the World’s Largest Security Cloud Customer Success Stories Analyst Recognition Machine Learning and AI at Zscaler Reduce Your Carbon Footprint Zero Trust Fundamentals Zero Trust Fundamentals What Is Zero Trust? What Is Security Service Edge (SSE)? What Is Secure Access Service Edge (SASE)? What Is Zero Trust Network Access (ZTNA)? What Is Secure Web Gateway (SWG)? What Is Cloud Access Security Broker (CASB)? What Is Cloud Native Application Protection Platform (CNAPP)? Zero Trust Resources Products & Solutions Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your IoT and OT Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems. Products Products Transform your organization with 100% cloud native services Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Experience (ZDX) Posture Control Partner IntegrationsIndustry and Market Solutions Solution Areas Solution Areas Propel your business with zero trust solutions that secure and connect your resources Cyberthreat Protection Data Protection Zero Trust Networking Business Analytics VPN Alternative Zero Trust App Access Accelerate M&A Integration Optimize Digital Experiences Zero Trust SD-WAN Zero Trust Cloud Connectivity Zero Trust for IoT/OT Zero Trust for Private 5G FInd a Product or Solution Industry and Market Solutions Partner Integrations Platform Zero Trust Exchange Platform Learn how Zscaler delivers zero trust with a cloud native platform that is the world’s largest security cloud Zero Trust Exchange PlatformTitle Link Transform with Zero Trust Architecture Transform with Zero Trust Architecture Propel your transformation journey Secure Digital Transformation Network Transformation Application Transformation Security Transformation Secure Your Business Goals Secure Your Business Goals Achieve your business and IT initiatives Ensure Secure Business Continuity Accelerate M&A and Divestitures Recession-Proof Your Enterprise Secure Your Hybrid Workforce Download Zscaler Client Connector Resources Learn, connect, and get support. Explore tools and resources to accelerate your transformation and secure your world Learn, connect, and get support.Title Link Amplifying the voices of real-world digital and zero trust pioneers Visit now Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Explore the latest Zscaler Innovations Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Resource Center Resource Center Stay up to date on best practices Resource Library Blog Customer Success Stories Webinars Zpedia Events & Trainings Events & Trainings Find programs, certifications, and events Upcoming Events Zenith Live Zscaler Academy Interactive Zscaler Whiteboard Workshop Security Research & Services Security Research & Services Get research and insights at your fingertips ThreatLabz Analytics Tools Tools Tools designed for you Security Preview Security and Risk Assessment Security Advisory Updates Disclose a Vulnerability Executive Insights App Ransomware Protection ROI Calculator Community & Support Community & Support Connect and find support Customer Success Center Zenith Community CXO REvolutionaries Zscaler Help Portal Explore the latest Zscaler Innovations Industry & Market Solutions Industry & Market Solutions See solutions for your industry and country Public Sector Healthcare Financial Services Education See all Company About Zscaler Discover how it began and where it’s going Partners Meet our partners and explore system integrators and technology alliances News & Announcements Stay up to date with the latest news Leadership Team Meet our management team Partner Integrations Explore best-in-class partner integrations to help you accelerate digital transformation Investor Relations See news, stock information, and quarterly reports Environmental, Social & Governance Learn about our ESG approach Careers Join our mission Press Center Find everything you need to cover Zscaler Compliance Understand our adherence to rigorous standards Zenith Ventures Understand our adherence to rigorous standards Zscaler Blog Get the latest Zscaler blog updates in your inbox Subscribe Security Research ZLOADER: NO LONGER SILENT IN THE NIGHT SANTIAGO VICENTE, ISMAEL GARCIA PEREZ January 19, 2024 - 8 min read Threatlabz Research Contents 1. Introduction 2. Key Takeaways 3. Technical Analysis 4. Conclusion 5. Zscaler Coverage 6. Indicators Of Compromise (IoCs) 7. Appendix 8. References 9. More blogs Copy URL Copy URL INTRODUCTION Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as “Silent Night”, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version 2.0.0.0 around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity. After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number 2.0.0.0. However, over the past several months, they released version 2.1.6.0 and 2.1.7.0. In this blog, we will explore these new updates to Zloader. KEY TAKEAWAYS * Zloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name “Silent Night” since the end of 2019. * Zloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers. * The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time. * Zloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis. TECHNICAL ANALYSIS In the following sections, we dive into the technical details surrounding Zloader’s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption. ANTI-ANALYSIS TECHNIQUES Zloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique. Imports and API resolution The newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below. Code sample available on GitHub. Junk code Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below. Figure 1. Example Zloader 2.1 junk code In Figure 1, the instructions inside the red box are the junk code. Anti-sandbox Each Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe. Figure 2. Example of Zloader’s anti-analysis filename check ThreatLabz has observed Zloader use the following filenames: * CodeForge.exe * CyberMesh.exe * EpsilonApp.exe * FusionBeacon.exe * FusionEcho.exe * IonBeacon.dll * IonPulse.exe * KineticaSurge.dll * QuantumDraw.exe * SpectraKinetic.exe * UltraApp.exe String obfuscation Similar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware’s important strings such as registry paths, DLL names, and the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below: Code sample available on GitHub. The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below. Figure 3. Example string obfuscation key used by Zloader A list of Zloader’s obfuscated strings is shown in the Appendix. STATIC CONFIGURATION ENCRYPTION AND STRUCTURE The Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware. An example Zloader static configuration is shown below. DOMAIN GENERATION ALGORITHM When the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader’s new DGA algorithm is shown below. Code sample available on GitHub. The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the “.com” TLD. NETWORK COMMUNICATIONS Zloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4: Figure 4. Zloader BinStorage object for a hello message (prior to encryption) The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1. Value (Decimal)Value (Hexadecimal)Description100020x2712Botnet ID100250x2729Campaign ID100010x2711Bot ID100030x2713Malware version100060x2716Unknown flag (set to 0x1) Table 1. Zloader BinStorage hello message fields ThreatLabz has observed samples containing the following botnet IDs: * Bing_Mod2 * Bing_Mod3 * Bing_Mod4 * Bing_Mod5 All of the campaign IDs have been set to the value M1. CONCLUSION Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. ZSCALER COVERAGE In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names: * Win64.Downloader.Zloader INDICATORS OF COMPROMISE (IOCS) SHA256Description038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55Zloader sample16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7dZloader sample25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78dZloader sample2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456Zloader sample83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3Zloader sample98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2Zloader sampleadbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aaZloader sampleb206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93Zloader sampleb47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378Zloader sampled92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090dZloader sampleeb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499Zloader samplef03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdbZloader samplef6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8Zloader samplefa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616Zloader samplefbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75Zloader sample URLDescriptionhttps://adslstickerhi[.]worldZloader C2https://adslstickerni[.]worldZloader C2https://dem.businessdeep[.]comZloader C2 APPENDIX TOOLS The code snippets in this blog have also been uploaded to our GitHub tools repository here. DECODED STRINGS user32.dll nbsp; %s reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d "%s" wininet.dll td tr br Software\Microsoft\ h3 Local\ hr POST gdiplus.dll NtWriteVirtualMemory https:// * \??\ ntdll.dll ws2_32.dll _alldiv NtProtectVirtualMemory NtGetContextThread shell32.dll %s %s psapi.dll crypt32.dll S-1-15 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ _aulldiv \"%s\" samlib.dll S:(ML;CIOI;NRNWNX;;;LW) NtCreateThreadEx regsvr32.exe /s \"%s\" NtResumeThread bcrypt.dll netapi32.dll RtlGetVersion strtoul winsta.dll wldap32.dll NtReadVirtualMemory Basic 0:0 version.dll h2 InstallDate h5 NtAllocateVirtualMemory .com cabinet.dll S:(ML;;NRNWNX;;;LW) li kernel32.dll %s\tmp_%08x h6 aeiouy div rpcrt4.dll {%08X-%04X-%04X-%08X%08X} iphlpapi.dll mpr.dll C:\Windows\System32\ntdll.dll Connection: close gdi32.dll C:\Windows\System32\msiexec.exe Global\ wtsapi32.dll NtCreateUserProcess shlwapi.dll RtlUserThreadStart %s NtOpenProcess HTTP/1.1 ncrypt.dll INVALID_BOT_ID _aullrem Software\Microsoft\Windows\CurrentVersion\Run dnsapi.dll ole32.dll .dll C:\Windows\SysWOW64\msiexec.exe bcdfghklmnpqrstvwxz ftllib.dll User metrics ThreadStart MSIMG32.dll \* JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq h1 NtSetContextThread */* GET userenv.dll urlmon.dll Software\Microsoft\Windows NT\CurrentVersion _ThreadStart@4 dxgi.dll NtOpenSection script /post.php advapi32.dll h4 secur32.dll imagehlp.dll %s_%s_%X winscard.dll REFERENCES 1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users 2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog Thank you for reading WAS THIS POST USEFUL? Yes, very! Not really EXPLORE MORE ZSCALER BLOGS Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis Read Post Technical Analysis of Xloader’s Code Obfuscation in Version 4.3 Read Post Technical Analysis of HijackLoader Read Post GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX By submitting the form, you are agreeing to our privacy policy. THE ZSCALER EXPERIENCE Learn about: Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP) PRODUCTS & SOLUTIONS Secure Your Users Secure Your Workloads Secure Your IoT and OT Secure Internet Access (ZIA) Secure Private Access (ZPA) Data Protection (CASB/DLP) Digital Experience (ZDX) Posture Control Industry & Market Solutions Partner Integrations Zscaler Client Connector PLATFORM Zero Trust Exchange Platform Secure Digital Transformation Application Transformation Network Transformation Security Transformation RESOURCES Resource Library Security Preview Security & Risk Assessment ThreatLabz Analytics & Insights Upcoming Events Blog Zscaler Academy CXO Revolutionaries Zpedia Ransomware Protection ROI Calculator POPULAR LINKS Pricing & Plans About Zscaler Leadership Team Career Opportunities Find or Become a Partner Customer Success Center Investor Relations Press Center News & Announcements ESG Compliance Contact Zscaler Home English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues - Brasil Zscaler is universally recognized as the leader in zero trust. Leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world's most established companies. English EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues - Brasil Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel SitemapPrivacyLegalSecurity © 2024 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners. Zscaler uses cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.Please review our Cookies Policy for more information. Cookies Settings Accept Cookies