www.zscaler.com Open in urlscan Pro
2606:4700::6812:1c4a  Public Scan

URL: https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
Submission: On January 23 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

<form class="topSearch_searchInputWrapper__n8dSG" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__E0Bk3" placeholder="What are you looking for?" aria-label="What are you looking for?"
    aria-hidden="true" tabindex="-1" value=""></form>

<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>

<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>

Text Content

This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN
Find out more
Close
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler
Private Access

Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)

Get the full report

Your world, secured

Experience the transformative power of zero trust.



The Zscaler Difference

The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint

Zero Trust Fundamentals

Zero Trust Fundamentals
What Is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Secure Access Service Edge (SASE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.


Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.


Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.




Products

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Partner IntegrationsIndustry and Market Solutions

Solution Areas

Solution Areas

Propel your business with zero trust solutions that secure and connect your
resources

Cyberthreat Protection
Data Protection
Zero Trust Networking
Business Analytics
VPN Alternative
Zero Trust App Access
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust SD-WAN
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
FInd a Product or Solution
Industry and Market Solutions
Partner Integrations
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud

Zero Trust Exchange PlatformTitle Link


Transform with Zero Trust Architecture

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation

Secure Your Business Goals

Secure Your Business Goals

Achieve your business and IT initiatives

Ensure Secure Business Continuity
Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connector
Resources
Learn, connect, and get support.

Explore tools and resources to accelerate your transformation and secure your
world

Learn, connect, and get support.Title Link

Amplifying the voices of real-world digital and zero trust pioneers

Visit now


Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all

Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all
Company
About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Explore best-in-class partner integrations to help you accelerate digital
transformation

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research


ZLOADER: NO LONGER SILENT IN THE NIGHT

SANTIAGO VICENTE, ISMAEL GARCIA PEREZ
January 19, 2024 - 8 min read



Threatlabz Research


Contents

 1. Introduction
 2. Key Takeaways
 3. Technical Analysis
 4. Conclusion
 5. Zscaler Coverage
 6. Indicators Of Compromise (IoCs)
 7. Appendix
 8. References
 9. More blogs

Copy URL
Copy URL



INTRODUCTION

Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from
the leaked Zeus source code. It surfaced publicly in 2016 during a targeted
campaign against German banks1, but its malicious activity traces back to at
least August 2015. Zloader’s first run persisted until the beginning of 2018
when its activities abruptly ceased. Its resurgence at the end of 2019, marketed
in underground forums as “Silent Night”, came with substantial alterations. The
evolution of Zloader progressed steadily, leading to the development of version
2.0.0.0 around September 2021. Similar to Qakbot, the threat actors using
Zloader also pivoted from conducting banking fraud to ransomware. In April 2022,
security researchers executed a takedown operation2 to dismantle the botnet
leading to an extended period of inactivity.

After an almost two-year hiatus, Zloader reemerged with a new iteration that
appears to have started development in September 2023. These new changes include
new obfuscation techniques, an updated domain generation algorithm (DGA), RSA
encryption for network communications, and the loader now has native support for
64-bit versions of Windows. Initially, this new version was labeled with the old
version number 2.0.0.0. However, over the past several months, they released
version 2.1.6.0 and 2.1.7.0. In this blog, we will explore these new updates to
Zloader.


KEY TAKEAWAYS

 * Zloader dates back to 2015 and has been advertised in underground
   cybercriminal forums under the name “Silent Night” since the end of 2019.
 * Zloader has returned after an almost two-year hiatus after being taken down
   in April 2022 by security researchers.
 * The new version of Zloader made significant changes to the loader module,
   which added RSA encryption, updated the domain generation algorithm, and is
   now compiled for 64-bit Windows operating systems for the first time.
 * Zloader continues to use junk code for obfuscation, as well as API import
   hashing and string encryption in an attempt to hinder malware analysis.


TECHNICAL ANALYSIS

In the following sections, we dive into the technical details surrounding
Zloader’s new updates to their anti-analysis techniques, embedded configuration,
DGA, and network encryption.


ANTI-ANALYSIS TECHNIQUES

Zloader uses a combination of API import hashing, junk code, a filename check,
and string obfuscation. The following sections analyze each technique.

Imports and API resolution

The newest Zloader samples only import a few functions from the kernel32
library. The remaining imports are resolved at runtime using checksums to
obfuscate the functions that are used. This technique, already present in older
versions, changes its implementation, adding an XOR constant which changes
between samples. Python code that replicates the API hashing algorithm is shown
below.




Code sample available on GitHub.


Junk code 

Similar to previous versions, Zloader uses custom obfuscation. The new version
of Zloader adds junk code that consists of various arithmetic operations, as
shown in Figure 1 below.



Figure 1. Example Zloader 2.1 junk code

In Figure 1, the instructions inside the red box are the junk code.

Anti-sandbox

Each Zloader sample expects to be executed with a specific filename. If the
filename does not match what the sample expects, it will not execute further.
This could evade malware sandboxes that rename sample files. Figure 2 shows an
example of a Zloader sample that expects its filename to be CodeForge.exe.



Figure 2. Example of Zloader’s anti-analysis filename check

ThreatLabz has observed Zloader use the following filenames:

 * CodeForge.exe
 * CyberMesh.exe
 * EpsilonApp.exe
 * FusionBeacon.exe
 * FusionEcho.exe
 * IonBeacon.dll
 * IonPulse.exe
 * KineticaSurge.dll
 * QuantumDraw.exe
 * SpectraKinetic.exe
 * UltraApp.exe


String obfuscation

Similar to prior versions, Zloader implements a string obfuscation algorithm for
some of the malware’s important strings such as registry paths, DLL names, and
the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code
that replicates the string obfuscation algorithm is shown below:




Code sample available on GitHub. 

The encryption key differs between samples and is also hardcoded in the .rdata
section as shown in Figure 3 below.



Figure 3. Example string obfuscation key used by Zloader

A list of Zloader’s obfuscated strings is shown in the Appendix.


STATIC CONFIGURATION ENCRYPTION AND STRUCTURE

The Zloader static configuration is still encrypted using RC4 with a hardcoded
alphanumeric key, but the structure is slightly different. The botnet ID,
campaign name, and command-and-control servers (C2s) are set at fixed offsets,
in addition to an RSA public key that replaces the old RC4 key that was used for
network encryption. ThreatLabz has observed 15 unique new Zloader samples and
all of them have the same RSA public key, likely indicating there is currently
only a single threat actor using the malware.

An example Zloader static configuration is shown below.







DOMAIN GENERATION ALGORITHM

When the primary C2 server is not available, Zloader reverts to a DGA. The DGA
algorithm has changed in the latest version and no longer contains a different
seed per botnet. Python code that replicates Zloader’s new DGA algorithm is
shown below.




Code sample available on GitHub.

The code generates 32 domains per day by using the local system time at midnight
(converted to UTC) as a seed. Each of the DGA domains have a length of 20
characters followed by the “.com” TLD.


NETWORK COMMUNICATIONS

Zloader continues to use HTTP POST requests to communicate with its C2 server.
However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus
“visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format
where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and,
the remaining bytes are encrypted with the RC4 key and visual encryption as
shown in Figure 4:



Figure 4. Zloader BinStorage object for a hello message (prior to encryption)

The Zeus BinStorage structure uses an ID integer value to represent the
information stored, followed by the length and data. The BinStorage ID values in
this example are shown in Table 1.

Value (Decimal)Value (Hexadecimal)Description100020x2712Botnet
ID100250x2729Campaign ID100010x2711Bot ID100030x2713Malware
version100060x2716Unknown flag (set to 0x1)

Table 1. Zloader BinStorage hello message fields

ThreatLabz has observed samples containing the following botnet IDs:

 * Bing_Mod2
 * Bing_Mod3
 * Bing_Mod4
 * Bing_Mod5

All of the campaign IDs have been set to the value M1.


CONCLUSION

Zloader was a significant threat for many years and its comeback will likely
result in new ransomware attacks. The operational takedown temporarily stopped
the activity, but not the threat group behind it. Returning after almost two
years, Zloader has brought notable improvements to the loader module such as RSA
encryption, an updated DGA, and enhanced obfuscation techniques, with more junk
code, API import hashing, and string encryption to thwart malware analysis. 

Zscaler ThreatLabz continues to track this threat and add detections to protect
our customers.


ZSCALER COVERAGE



In addition to sandbox detections, Zscaler’s multilayered cloud security
platform detects indicators related to Zloader at various levels with the
following threat names:

 * Win64.Downloader.Zloader


INDICATORS OF COMPROMISE (IOCS)

SHA256Description038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55Zloader
sample16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7dZloader
sample25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78dZloader
sample2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456Zloader
sample83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3Zloader
sample98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2Zloader
sampleadbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aaZloader
sampleb206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93Zloader
sampleb47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378Zloader
sampled92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090dZloader
sampleeb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499Zloader
samplef03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdbZloader
samplef6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8Zloader
samplefa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616Zloader
samplefbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75Zloader
sample

 

URLDescriptionhttps://adslstickerhi[.]worldZloader
C2https://adslstickerni[.]worldZloader C2https://dem.businessdeep[.]comZloader
C2

 
 


APPENDIX


TOOLS

The code snippets in this blog have also been uploaded to our GitHub tools
repository here.


DECODED STRINGS

user32.dll

nbsp;

%s

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d
"%s"

wininet.dll

td

tr

br

Software\Microsoft\

h3

Local\

hr

POST

gdiplus.dll

NtWriteVirtualMemory

https://

*

\??\

ntdll.dll

ws2_32.dll

_alldiv

NtProtectVirtualMemory

NtGetContextThread

shell32.dll

%s %s

psapi.dll

crypt32.dll

S-1-15

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

_aulldiv

\"%s\"

samlib.dll

S:(ML;CIOI;NRNWNX;;;LW)

NtCreateThreadEx

regsvr32.exe /s \"%s\"

NtResumeThread

bcrypt.dll

netapi32.dll

RtlGetVersion

strtoul

winsta.dll

wldap32.dll

NtReadVirtualMemory

Basic

0:0

version.dll

h2

InstallDate

h5

NtAllocateVirtualMemory

.com

cabinet.dll

S:(ML;;NRNWNX;;;LW)

li

kernel32.dll

%s\tmp_%08x

h6

aeiouy

div

rpcrt4.dll

{%08X-%04X-%04X-%08X%08X}

iphlpapi.dll

mpr.dll

C:\Windows\System32\ntdll.dll

Connection: close

gdi32.dll

C:\Windows\System32\msiexec.exe

 

Global\

wtsapi32.dll

NtCreateUserProcess

shlwapi.dll

RtlUserThreadStart

%s

NtOpenProcess

HTTP/1.1

ncrypt.dll

INVALID_BOT_ID

_aullrem

Software\Microsoft\Windows\CurrentVersion\Run

dnsapi.dll

ole32.dll

.dll

C:\Windows\SysWOW64\msiexec.exe

bcdfghklmnpqrstvwxz

ftllib.dll

User metrics

ThreadStart

MSIMG32.dll

\*

JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq

h1

NtSetContextThread

*/*

GET

userenv.dll

urlmon.dll

Software\Microsoft\Windows NT\CurrentVersion

_ThreadStart@4

dxgi.dll

NtOpenSection

script

/post.php

advapi32.dll

h4

secur32.dll

imagehlp.dll

 

%s_%s_%X

winscard.dll

 


 


REFERENCES

1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users

2 Dismantling ZLoader: How malicious ads led to disabled security tools and
ransomware | Microsoft Security Blog




Thank you for reading


WAS THIS POST USEFUL?

Yes, very!

Not really


EXPLORE MORE ZSCALER BLOGS

Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
Read Post
Technical Analysis of Xloader’s Code Obfuscation in Version 4.3
Read Post
Technical Analysis of HijackLoader
Read Post



GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX



By submitting the form, you are agreeing to our privacy policy.





THE ZSCALER EXPERIENCE

Learn about:

Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service
Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)
PRODUCTS & SOLUTIONS
Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Posture Control

Industry & Market Solutions

Partner Integrations

Zscaler Client Connector

PLATFORM
Zero Trust Exchange Platform

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

RESOURCES
Resource Library

Security Preview

Security & Risk Assessment

ThreatLabz Analytics & Insights

Upcoming Events

Blog

Zscaler Academy

CXO Revolutionaries

Zpedia

Ransomware Protection ROI Calculator

POPULAR LINKS
Pricing & Plans

About Zscaler

Leadership Team

Career Opportunities

Find or Become a Partner

Customer Success Center

Investor Relations

Press Center

News & Announcements

ESG

Compliance

Contact Zscaler

Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil

Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.

English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil

Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2024 Zscaler, Inc.

All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.



Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.

Cookies Settings Accept Cookies