Home >
List all groups >
List all tools > List all groups using tool ZLoader
Tool: ZLoader
| Names | ZLoader
Terdot
DELoader |
| Category | Malware |
| Type | Botnet, Downloader |
| Description | This family describes the (initially small) loader, which downloads Zeus OpenSSL.
In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time. |
| Information | <https://threatvector.cylance.com/en_us/home/threat-spotlight-terdot-a-zloader-malicious-downloader.html>
<https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html>
<https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/>
<https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks>
<https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/>
<https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware>
<https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/>
<https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns>
<https://blog.checkpoint.com/2020/06/04/coronavirus-update-not-the-type-of-cv-youre-looking-for/>
<https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed>
<https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader>
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/>
<https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/>
<https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/>
<https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/>
<https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems>
<https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night> |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader> |
| AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:Zloader> |
Last change to this tool card: 06 March 2024
Download this tool card in JSON format
All groups using tool ZLoader
1 group listed (0 APT, 1 other, 0 unknown)
