We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Threats

Zloader: banking Trojan and emerging threats

Zloader, derived from the Zeus Trojan, is an advanced malware designed to steal sensitive data and spread ransomware, especially on Microsoft systems. Its main characteristic is its ability to evade security defenses through techniques such as domain generation algorithms (DGAs) and environment control. It constantly evolves to remain invisible, making it a difficult threat to thwart.

Zloader malware

27 January 2025

Table of contents

  • What is Zloader and why is it a growing threat? 
  • Zloader’s new attack techniques 
  • Distribution methods and targets 
  • The role of companies in fighting Zloader 

This article explores Zloader, a sophisticated banking Trojan that continues to evolve with new techniques to evade defenses.

We’ll analyze what Zloader is, its main features, and recent updates that make it a persistent threat in the cyber security landscape. 

What is Zloader and why is it a growing threat? 

Zloader Trojan, also known as Terdot, DELoader, or Silent Night, is a malware loader designed to download and execute malicious payloads on compromised systems.

Derived from the infamous Zeus Trojan, this malware has established itself as a versatile and dangerous tool, primarily used to steal sensitive data and facilitate ransomware attacks, particularly on Microsoft systems that Zloader seems to favor. 

Zloader’s standout feature is its ability to evade security measures. Techniques such as domain generation algorithms (DGA) and environment checks to prevent unauthorized executions allow the malware to adapt and remain undetected.

Recent updates have introduced additional enhancements, solidifying Zloader’s effectiveness and making it one of the most challenging threats to combat. 

Zloader’s new attack techniques 

Recent updates have seen Zloader reemerge with new campaigns and advanced features such as DNS tunneling, used to hide its command-and-control (C2) communications.

This technique enables threat actors to conceal malicious traffic within DNS packets, improving the malware’s ability to evade detection

The latest version also includes an interactive shell, allowing operators to execute binary files, DLLs, and shell code, as well as exfiltrate data and terminate processes. These features enhance the malware’s operational flexibility, making it particularly valuable for ransomware campaigns like those linked to the Black Basta group. 

Used to steal sensitive data

Distribution methods and targets 

Zloader is often distributed via phishing emails designed to trick users into downloading infected files. Another common tactic is leveraging remote desktop protocol (RDP) connections obtained through fake tech support requests. Once users download the payload, the malware installs itself and begins communicating with C2 servers. 

One notable additional payload distributed by Zloader is GhostSocks, a component that facilitates the Trojan’s installation. This modular approach underscores Zloader’s scalable and as-a-service nature, making it easily customizable for various attack types. 

The role of companies in fighting Zloader 

Combating threats like Zloader requires a multi-layered approach involving both technology and employee training. Companies must implement advanced detection systems capable of identifying unknown threats and blocking suspicious communications, such as those involving DNS tunneling or HTTPS. 

Additionally, businesses must ensure employees are aware of email phishing risks and equipped to recognize deceptive tactics. Only through a joint effort can the impact of malicious tools like Zloader be mitigated. 

To conclude…

Zloader is a sophisticated and evolving malware threat. Its ability to bypass defenses and serve multiple malicious purposes makes it a significant danger in the cyber security landscape.

Constantly monitoring its developments and adopting proactive measures are crucial steps to protect systems and data. 

Questions and answers

  1. What is Zloader? 
    It is a banking Trojan derived from the Zeus malware, used to steal sensitive data and distribute other malicious payloads. 
  2. What are its main features? 
    Defense evasion, modular payload distribution, and advanced techniques such as DNS tunneling to hide communications. 
  3. How is it distributed? 
    Via phishing emails, compromised RDP connections, and other targeted social engineering campaigns. 
  4. Why is it considered a sophisticated threat? 
    Due to its detection evasion capabilities and advanced functionalities introduced in recent versions. 
  5. What techniques does it use to hide communications? 
    DNS tunneling, HTTPS with POST requests, and other cryptographic methods. 
  6. What industries has Zloader targeted? 
    The malware has affected various sectors, often targeting financial institutions and vulnerable businesses. 
  7. How can companies protect against Zloader? 
    Implement advanced security solutions, train employees on phishing risks, and monitor network traffic. 
  8. What makes the latest version of Zloader unique? 
    An interactive shell for executing files and code, along with a custom DNS protocol for C2 communications. 
  9. What threats are associated with Zloader? 
    The malware is often used to facilitate ransomware attacks and steal sensitive information. 
  10. What does the future hold for Zloader? 
    As its capabilities evolve, Zloader will continue to pose significant challenges to global cyber security. 
71
To top