{"id":6954,"date":"2024-02-08T09:39:07","date_gmt":"2024-02-08T09:39:07","guid":{"rendered":"\/cybersecurity-blog\/?p=6954"},"modified":"2024-02-08T09:39:11","modified_gmt":"2024-02-08T09:39:11","slug":"new-zloader-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/new-zloader-campaign\/","title":{"rendered":"ZLoader Now Targets 64-bit Systems: Analyze The New Version in ANY.RUN\u00a0"},"content":{"rendered":"\n

ZLoader is back and armed with new capabilities.\u00a0<\/p>\n\n\n\n

Threat hunters have discovered a new campaign distributing ZLoader malware, nearly two years after its control network was disrupted in April 2022.<\/p>\n\n\n

\n
\"\"
ZLoader activity is spiking in ANY.RUN Malware Trends Tracker<\/a>\u00a0<\/figcaption><\/figure><\/div>\n\n\n

The takedown of 65 domains by a coalition led by Microsoft’s Digital Crimes Unit<\/a> significantly impacted ZLoader’s operations, but according to Zscaler ThreatLabz, since September 2023, a new version of ZLoader has been under development, featuring major updates to its loader module.\u00a0<\/p>\n\n\n\n

The latest versions, 2.1.6.0 and 2.1.7.0, have introduced techniques like junk code and string obfuscation to hinder analysis, and they require a specific filename to execute on targeted hosts, potentially evading detection by automated malware analysis tools. <\/p>\n\n\n\n

These versions also encrypt their configuration using RC4 encryption with a hard-coded key, hiding details about the campaign and command-and-control servers. An updated domain generation algorithm provides a backup communication method in case the primary servers are taken down. This resilience suggests that despite previous setbacks, ZLoader remains a significant threat, with potential for new ransomware attacks, indicating that the operational takedown hindered but didn’t eliminate the threat group behind it.\u00a0<\/p>\n\n\n\n\n

\n\n

\nTry advanced malware analysis with ANY.RUN for free<\/span> \n<\/p>\n\n\nGet trial\n<\/a>\n<\/div>\n\n\n\n