Published in


A Deep Dive into Zloader — the Silent Night

As part of my work at Vincss, I wrote an article about Zloader — “[RE026] A Deep Dive into Zloader — the Silent Night”.

Zloader, a notorious banking trojan also known as Terdot or Zbot. This trojan was first discovered in 2016, and over time its distribution number has also continuously increased. The Zloader’s code is said to be built on the leaked source code of the famous ZeuS malware. In 2011, when source code of ZeuS was made public and since then, it has been used in various malicious code samples.

Zloader has all the standard functionality of a trojan such as being able to fetch information from browsers, stealing cookies and passwords, capturing screenshots, etc. and for making analysis difficult, it applies advanced techniques, including code obfuscation and string encryption, masking Windows APIs call. Recently, CheckPoint expert published an analysis of a Zloader distribution campaign whereby the infection exploited Microsoft’s digital signature checking process. In addition, Zloader has also recently partnered with different ransomware gangs are Ryuk and Egregor.

Most recently, multiple telecommunication providers and cybersecurity firms worldwide partnered with Microsoft’s security researchers throughout the investigative effort, including ESET, Black Lotus Labs, Palo Alto Networks’ Unit 42, and Avast. They took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control and communicate with the infected hosts.

My deep dive will provide detailed analysis and techniques that Zloader uses, including:

  • How to unpack to dump Zloader Core Dll.

Read full my research here!!!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store