From zscaler.com
Introduction
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. As detailed in our previous blog, Zloader reemerged following an almost two-year hiatus with a new iteration that included modifications to its obfuscation techniques, domain generation algorithm (DGA), and network communication.
Most recently, Zloader has reintroduced an anti-analysis feature similar to one that was present in the original ZeuS 2.x code. The feature restricts Zloader’s binary execution to the infected machine. This characteristic of ZeuS was abandoned by many malware variants derived from the leaked source code including Zloader, until now. In this blog post, we explain how this anti-analysis feature works and how it differs from the original ZeuS implementation.
Key Takeaways
- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on the leaked ZeuS source code dating back to 2015.
- Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus.
- The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection. A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently.