Security researchers have identified a new variant of the ZLoader malware that uses sophisticated DNS tunneling techniques to hide its command-and-control communications, marking the latest evolution of this dangerous threat.
The updated version 2.9.4.0 of ZLoader introduces several advanced capabilities, including an interactive shell supporting multiple commands and custom DNS tunneling protocols, according to findings published by Zscaler ThreatLabz.
This revival comes nearly a year after ZLoader's infrastructure was dismantled, with the first new campaigns spotted in September 2023. The malware, also known as Terdot, DELoader, or Silent Night, specializes in deploying additional malware onto infected systems.
The malware authors have implemented multiple evasion techniques, including a domain generation algorithm and specific checks to prevent analysis. Recent attacks show ZLoader being increasingly used in Black Basta ransomware operations, often deployed through deceptive remote desktop connections disguised as technical support.
A key addition in the latest variant is an interactive shell allowing operators to:
- Execute arbitrary binaries and DLLs
- Run shellcode
- Extract data
- Control system processes
While the malware maintains HTTPS POST requests as its primary communication method, the new DNS tunneling feature provides an additional layer of stealth by encrypting traffic through DNS packets.
The discovery suggests the threat actors are heavily focused on avoiding detection while expanding their capabilities as initial access brokers for ransomware operations. Security experts note that the malware continues to evolve with updated anti-analysis techniques to bypass security measures and evade detection.
This development represents a concerning advancement in malware sophistication, highlighting the ongoing arms race between cybercriminals and security professionals.