Inside Zloader’s Latest Trick: DNS Tunneling

    Thursday, December 12, 2024 In: Threat Research Print

    Date: 12/12/2024

    Severity: High 

    Summary

    Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan derived from the leaked Zeus source code, first appearing in 2015. Initially designed for banking fraud through Automated Clearing House (ACH) and wire transfers, Zloader has since been repurposed for initial access, enabling ransomware deployment in corporate environments, similar to Qakbot and Trickbot. After a nearly two-year hiatus, Zloader resurfaced a year ago with a new version featuring enhanced obfuscation techniques, a refined domain generation algorithm (DGA), advanced anti-analysis measures, and updated network communication protocols.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    bigdealcenter.world

    unitedcommunity.world

    ns1.brownswer.com

    IP Address : 

    45.61.152.154

    Hash : 

    22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764

603bd9ee50f7dc6de37f314bda227561f0fd67cdebf53a672ea32cce73a2efd3

d212042504f851253347754c3d3624628e7ebf7c0bbd8160220bf6edcff24f16

ec8414631644269ab230c222055beb36546ff3ee39cebbbfa7e794e2e609c8d9

17a9900aff30928d54ce77bdcd0cdde441dd0215f8187bac0a270c5f8e4db9cc

2794a703aff5549a89834d0ef8ad4b97ce12e27fa37852dd2a504e5a0078b093

3610f213db22a9de07dbbed4fbf6cec78b6dd4d58982c91f3a4ef994b53a8adc

cbff717783ee597448c56a408a066aaae0279dd8606e6d99e52a04f0a7a55e03

a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9

db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4

49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7

f1a9ef13784ba05628c12decbbe44e7708793d1a707f9fbc2475c42e1ec2cb7d

40b4bb1919e9079d1172c5dee5ac7d96c5e80ede412b8e3ef382230a908733cc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls  :

    userdomainname like "ns1.brownswer.com" or url like "ns1.brownswer.com" or userdomainname like "bigdealcenter.world" or url like "bigdealcenter.world" or userdomainname like "unitedcommunity.world" or url like "unitedcommunity.world"

    IP Address :

    dstipaddress IN ("45.61.152.154") or ipaddress IN ("45.61.152.154") or publicipaddress IN ("45.61.152.154") or srcipaddress IN ("45.61.152.154")

    Hash : 

    sha256hash IN ("db34e255aa4d9f4e54461571469b9dd53e49feed3d238b6cfb49082de0afb1e4","22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764","2794a703aff5549a89834d0ef8ad4b97ce12e27fa37852dd2a504e5a0078b093","ec8414631644269ab230c222055beb36546ff3ee39cebbbfa7e794e2e609c8d9","603bd9ee50f7dc6de37f314bda227561f0fd67cdebf53a672ea32cce73a2efd3","40b4bb1919e9079d1172c5dee5ac7d96c5e80ede412b8e3ef382230a908733cc","3610f213db22a9de07dbbed4fbf6cec78b6dd4d58982c91f3a4ef994b53a8adc","49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7","17a9900aff30928d54ce77bdcd0cdde441dd0215f8187bac0a270c5f8e4db9cc","f1a9ef13784ba05628c12decbbe44e7708793d1a707f9fbc2475c42e1ec2cb7d","d212042504f851253347754c3d3624628e7ebf7c0bbd8160220bf6edcff24f16","cbff717783ee597448c56a408a066aaae0279dd8606e6d99e52a04f0a7a55e03","a9f2c4bc268765fc6d72d8e00363d2440cf1dcbd1ef7ee08978959fc118922c9")

    Reference:   

    https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling 


    Tags

    MalwareZloaderTerdotDELoaderSilent NightTrojanCommercial Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.