Keypoints
- Zloader (aka Terdot/DELoader/Silent Night) revived with new obfuscation, DGA and network communication changes after a hiatus.
- Versions 2.4.1.0+ implement an anti-analysis check that aborts execution if the binary is copied to a different system.
- The anti-analysis relies on a per-sample hardcoded seed used to generate a registry key/value and RC4 keys; a Python snippet in the original shows the registry-name algorithm.
- A secondary check reads a DWORD at offset 0x30 in the PE MZ header which points to the seed; if the pointer is invalid the sample exits after injection.
- The seed is initialized on first run using a pseudo-random QWORD from the Mersenne Twister; this seed is later used to create registry names and RC4 keys for encrypted installation data (1,418 bytes).
- Zloader injects into a new process when the checks pass, but will terminate early if registry/MZ header values are not present or correctly initialized.
- The technique is functionally similar to ZeuS’s PeSettings overlay, though Zloader stores encrypted install data in the registry rather than an overlay section.
MITRE Techniques
- [T1497] Virtualization/Sandbox Evasion – Zloader aborts when copied to a different system: ‘Zloader samples with versions greater than 2.4.1.0 will abruptly terminate if they are copied and executed on another system after the initial infection.’
- [T1112] Modify Registry – Zloader checks for a specific registry key/value generated from a hardcoded seed to determine if it should run: ‘This is due to a Windows registry check for the presence of a specific key and value.’
- [T1055] Process Injection – The loader injects into a new process after passing initial checks: ‘Zloader will successfully inject itself into a new process.’
- [T1027] Obfuscated Files or Information – Installation data is encrypted and obfuscated using RC4 and a per-sample seed to hide machine-specific artifacts: ‘The content has a fixed length of 1,418 bytes and is encrypted with RC4.’
- [T1583] Acquire Infrastructure (Domain Generation) – The malware uses and modified a domain generation algorithm and network communication for C2: ‘modifications to its obfuscation techniques, domain generation algorithm (DGA), and network communication.’
Indicators of Compromise
- [SHA256] Zloader samples – cba9578875a3e222d502bb6a85898939bb9e8e247d30fcc0d44d83a64919f448, 85962530c71cd31c102853d64a8829f93b63bd1406bdec537b9d8c200f8f0bcc (and 2 more hashes)
- [URL] Zloader C2 domains – https://eingangfurkunden[.]digital/, https://citscale[.]com/api.php (and 2 more C2 URLs)
Zloader’s recent technical changes focus on ensuring a binary only runs on the originally infected host by creating and validating machine-specific artifacts. On first execution the sample generates a pseudo-random QWORD seed (Mersenne Twister) and writes a registry key/value whose names are derived from a hardcoded-seed-based algorithm; the blog reproduces the registry-name algorithm in Python. During subsequent runs the malware verifies the registry key/value and also checks a DWORD stored at MZ header offset 0x30, which acts as a pointer to the seed’s offset—if this pointer points beyond the binary or the registry entry is missing/mismatched, execution halts (the sample may inject but will terminate after a few instructions).
The seed is used to derive RC4 keys and generate a fixed-length (1,418 bytes) encrypted blob stored in the registry that contains install path, module entries and a victim-specific RC4 S-box; without the correct seed and MZ header initialization the loader will not install or run on another system unless patched or the original environment is fully replicated. Functionally this mirrors ZeuS’s PeSettings overlay (which stored encrypted install info in an overlay section), but Zloader implements it via registry storage and per-sample seed initialization to impede sandboxing and analysis.
The practical result is that analysts will see samples that appear inert when executed in replicated environments unless the registry names, seed, and MZ header values match the original victim state; attackers can also distribute pre-initialized binaries to target systems directly. Detection should focus on the distinctive registry artifacts, the MZ header DWORD usage, RC4-encrypted 1,418-byte registry blobs, and related C2 domains/hashes listed above.
Read more: https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks