Malware loader Zloader, also known as DELoader, Terdot, or Silent Night, has been further fine-tuned through the integration of custom DNS tunneling for command-and-control communications and an interactive shell that supports arbitrary binary execution, data exfiltration, process termination, and more than a dozen other processes, according to The Hacker News.
Aside from exploiting a domain generation algorithm and conducting environment checks to prevent execution on other systems, the newly discovered Zloader variant has also been spread through the GhostSocks payload as part of an updated attack chain, a report from Zscaler ThreatLabz showed. "Zloader's distribution methods and a new DNS tunneling communication channel suggest the group is focusing increasingly on evading detection. The threat group continues to add new features and functionality to more effectively serve as an initial access broker for ransomware," said researchers. Such findings come as Zloader was reported to have been increasingly leveraged in attacks by the Black Basta ransomware operation.
