Introduction
In the realm of cybersecurity, the name Zloader (also known as Terdot, DELoader, or Silent Night) commands attention. Born from the leaked Zeus source code, this modular trojan emerged publicly in 2016, targeting German banks in a meticulously orchestrated campaign. However, its nefarious activities date back to at least August 2015, revealing a complex and resilient threat landscape.
Zloader’s initial run persisted until the beginning of 2018, only to resurface with a vengeance at the end of 2019, rebranded as “Silent Night.” This marked the beginning of substantial alterations, leading to the trojan’s evolution and the development of version 2.0.0.0 around September 2021. Notably, in April 2022, a takedown operation executed by security researchers dismantled the botnet, ushering in an extended period of inactivity.
The Resurgence: A New Chapter Unfolds
After an almost two-year hiatus, Zloader reemerged, signaling a new iteration that commenced development in September 2023. This resurgence introduces a host of changes, underscoring the trojan’s adaptability and the sophistication of its creators. Noteworthy modifications include innovative obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and native support for 64-bit versions of Windows.
Initially masquerading under the old version number 2.0.0.0, the trojan underwent continuous refinement, culminating in the release of versions 2.1.6.0 and 2.1.7.0 over the past several months. In this comprehensive exploration, we delve into the intricacies of these new updates to Zloader, shedding light on its evolving tactics and capabilities.
Key Takeaways: Understanding Zloader’s Legacy
- Historical Roots: Zloader’s origins can be traced back to 2015, and its presence in underground cybercriminal forums gained momentum under the moniker “Silent Night” in late 2019.
- Takedown and Resurgence: Following a targeted takedown operation by security researchers in April 2022, Zloader staged a comeback after nearly two years of dormancy, unveiling a revamped version with substantial improvements.
- Major Loader Module Overhaul: The latest version of Zloader introduces pivotal changes to its loader module, featuring RSA encryption, an updated domain generation algorithm, and, for the first time, native support for 64-bit Windows operating systems.
- Persistent Obfuscation Tactics: Zloader remains committed to hindering malware analysis through the incorporation of junk code, API import hashing, and string encryption, showcasing a relentless pursuit of evading detection.