ZLoader, a notorious modular trojan also known as Terdot, DELoader, or Silent Night, has reemerged once again, with new variants implementing more advanced features.

Based on the infamous Zeus banking trojan, ZLoader made a comeback around September 2023 after lying dormant for almost two years following its takedown in early 2022. Since its resurgence, the malware has been continuously evolving, incorporating new features and techniques.

The latest development in ZLoader's evolution involves the reintroduction of an anti-analysis feature similar to the original ZeuS v2.x. This feature, which limits the execution of ZLoader's binary to the infected machine, was abandoned by many Zeus-based malware, including earlier versions of ZLoader.

“The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection. A similar anti-analysis feature was present in the leaked ZeuS 2.X source code, but implemented differently,” the Zscaler researchers said in a technical write-up on the threat.

The anti-analysis mechanism implemented in ZLoader involves a sophisticated process that terminates the malware if it detects execution on a system other than the initially compromised one. This is achieved through a series of checks, including verification of specific Windows Registry keys and values, as well as scrutiny of the malware's MZ header.

According to the researchers, “the Registry key and value are generated based on a hardcoded seed that is different for each sample. If the Registry key/value pair is manually created or this check is patched, ZLoader will successfully inject itself into a new process. However, it will terminate again after executing only a few instructions due to a secondary check in ZLoader's MZ header.”

This approach effectively stalls ZLoader's execution on a different machine unless specific conditions, including correct seed and MZ header values, as well as replication of Registry and disk paths/names from the original compromised system, are met.

“In recent versions, Zloader has adopted a stealthy approach to system infections. This new anti-analysis technique makes Zloader even more challenging to detect and analyze,” Zscaler noted.