The ZLoader malware, a descendant of the infamous Zeus banking trojan, has resurfaced with enhanced features designed to thwart analysis and prevent execution on any machine other than the one initially infected. As detailed by Santiago Vicente from Zscaler ThreatLabz, the latest version of ZLoader, marked as 2.4.1.0, includes an advanced anti-analysis mechanism that was once a hallmark of the Zeus trojan but has been reconfigured for ZLoader. This feature effectively binds the malware to the original host by checking for specific registry key values generated during the initial infection, leading to an abrupt termination of the malware if an attempt is made to run it on a different machine.
The anti-analysis feature in ZLoader is designed to complicate the tasks of cybersecurity researchers by preventing the malware’s operation outside its initial environment. The malware performs a registry check for a specific key and value which, if not found, triggers the malware to stop executing further. Additionally, even if these checks are bypassed or the required registry values are manually created, ZLoader will only execute a few commands before another safeguard stops it again, this time checking the MZ header in the malware’s code.
Aside from its anti-analysis tactics, ZLoader has also been updated with new encryption methods and improvements to its domain generation algorithm (DGA), enhancing its ability to evade detection and establish persistent infections. These updates demonstrate the malware authors’ commitment to evolving ZLoader’s capabilities, making it a formidable threat in the landscape of cyber threats. The malware’s persistence and sophistication in system infection underscore the continuous arms race between cybercriminals and cybersecurity defenses.
