A new campaign delivering the ZLoader malware has been discovered [1] [2] [3], signaling its resurgence after its infrastructure was dismantled in April 2022 [1] [2] [3] [4]. This variant of ZLoader, developed since September 2023 [1] [2] [3], introduces significant changes [1] [2] [3], including RSA encryption and compatibility with 64-bit Windows operating systems [2] [3].


ZLoader [1] [2] [3] [4], also known as Terdot or DELoader [1] [2] [3] [4], initially functioned as a banking trojan before transitioning into a loader for ransomware [1] [2] [3] [4]. It is commonly distributed through phishing emails and malicious search engine ads [1] [2] [3] [4]. The latest versions of the malware employ junk code and string obfuscation techniques to evade analysis [4]. Each component of the malware necessitates a specific filename for execution. The static configuration is encrypted using RC4 with a hard-coded key [1] [3], and an updated domain generation algorithm serves as a backup communication method [1] [2] [3].


The resurgence of ZLoader is expected to lead to new ransomware attacks [3] [4]. Researchers caution that its incorporation of RSA encryption and compatibility with 64-bit Windows operating systems enhances its capabilities and potential impact. It is crucial for organizations and individuals to remain vigilant against phishing emails and malicious search engine ads to mitigate the risk of infection. Additionally, continuous monitoring and analysis of the evolving ZLoader malware is necessary to stay ahead of potential threats and protect against future attacks.


[1] https://ciso2ciso.com/new-zloader-malware-variant-surfaces-with-64-bit-windows-compatibility-sourcethehackernews-com/
[2] https://vulners.com/thn/THN:173F56F021675D7716038B0436BED8F3
[3] https://flyytech.com/2024/01/30/new-zloader-malware-variant-surfaces-with-64-bit-windows-compatibility/
[4] https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html