Keypoints
- Zloader returned after a hiatus with new loader changes including native 64-bit builds and updated obfuscation.
- The loader resolves most API imports at runtime using a sample-specific hashing/XOR scheme to hinder static analysis.
- Obfuscation now includes added junk arithmetic code, XOR string encryption with per-sample keys, and filename checks to evade sandboxes.
- Static configuration remains RC4-encrypted but now contains a fixed-offset RSA public key used for network encryption.
- The updated DGA generates 32 .com domains per day using UTC midnight as a seed; each domain is 20 characters long.
- Network traffic uses HTTP POST with a Zeus BinStorage payload: a 128-byte RSA-encrypted RC4 key followed by RC4 + “visual” encryption of the payload.
MITRE Techniques
- [T1027] Obfuscated Files or Information – used via “junk code for obfuscation, as well as API import hashing and string encryption” (‘…uses junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis…’).
- [T1497] Virtualization/Sandbox Evasion – implemented by a filename check that prevents execution if the filename doesn’t match the expected value (‘…expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further.’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication is conducted over HTTP POST requests (‘…continues to use HTTP POST requests to communicate with its C2 server.’).
- [T1483] Domain Generation Algorithms – the malware falls back to a DGA that generates 32 domains per day using the local system time at midnight as a seed (‘…The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed.’).
- [T1573] Encrypted Channel – network payloads are protected using a 1,024-bit RSA-encrypted RC4 key plus Zeus “visual encryption” (‘…network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms.’).
Indicators of Compromise
- [File hash] Zloader sample hashes – 038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55, 16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d, and 13 more hashes.
- [C2 domains] Zloader C2 URLs – https://adslstickerhi[.]world, https://adslstickerni[.]world, https://dem.businessdeep[.]com.
- [Filenames] Anti-sandbox expected filenames – CodeForge.exe, IonBeacon.dll, and 9 more names observed (e.g., CyberMesh.exe, UltraApp.exe).
- [Botnet IDs] Observed botnet identifiers – Bing_Mod2, Bing_Mod3, and 2 more (Bing_Mod4, Bing_Mod5).
Zloader’s loader module now resolves nearly all API imports at runtime using a per-sample hashing algorithm combined with an XOR constant, making static import tables sparse and hindering automated analysis. The loader injects junk arithmetic sequences and uses XOR-based string obfuscation with keys stored in .rdata; it also enforces a filename check (samples expect specific names such as CodeForge.exe) to evade sandboxes that rename samples. Sample-specific keys and the added junk code increase analyst effort to recover runtime strings and API calls.
The static configuration remains RC4-encrypted with a hardcoded alphanumeric key, but the network encryption scheme has shifted: an RSA public key embedded in the configuration replaces the old RC4-only scheme. For C2, Zloader uses HTTP POST and the Zeus BinStorage format where the first 128 bytes are an RSA-encrypted RC4 key (32 random bytes) and the remainder is RC4-encrypted plus Zeus “visual” encryption. The BinStorage uses integer IDs and length-prefixed fields (examples: 10002 botnet ID, 10025 campaign ID, 10001 bot ID) to structure the “hello” message.
When the primary C2 is unavailable, Zloader generates 32 domains per day from a DGA seeded with local system time at UTC midnight; each domain is 20 characters long with a .com TLD. The new loader also adds native 64-bit support. Code samples replicating the API hashing, string decryption, and DGA are available from the author’s tools/GitHub repository linked in the original analysis.
Read more: https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night