New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

January 30, 2024 at 04:30AM

Threat hunters have discovered a new campaign delivering the ZLoader malware, reappearing with significant changes after being dismantled in April 2022. The latest variant includes RSA encryption, updated domain generation algorithm, and is now compiled for 64-bit Windows. Its return poses a potential threat for new ransomware attacks, prompting increased vigilance.

Key takeaways from the meeting notes on the NewsroomMalware / Cyber Threat:

1. Threat hunters have identified a new campaign delivering the ZLoader malware, which has resurfaced nearly two years after its infrastructure was dismantled in April 2022.
2. A new variant of the ZLoader malware, featuring significant changes to the loader module, has been in development since September 2023.
3. The latest versions of the ZLoader malware incorporate junk code, string obfuscation, and specific filename requirements to resist analysis efforts and evade malware sandboxes.
4. The malware encrypts the static configuration using RC4 with a hard-coded alphanumeric key and relies on an updated version of the domain generation algorithm for backup communication in case the primary C2 servers are inaccessible.
5. The resurgence of ZLoader is expected to result in new ransomware attacks, posing a significant threat.
6. There is also a warning of an increase in the volume of campaigns leveraging MSIX files to deliver malware such as NetSupport RAT, ZLoader, and FakeBat, prompting Microsoft to disable the protocol handler by default in late December 2023.

The meeting notes highlight the reemergence of the ZLoader malware and the development of new malware families, indicating a need for heightened vigilance and cybersecurity measures.

Let me know if you need any further information or specific details.

Full Article