The “Silent Night” Zloader/Zbot

ZeuS is probably the most famous banking Trojan ever released. Since its source code leaked, various new variants are making the rounds. In the past Malwarebytes wrote about one of its forks, called Terdot Zbot/Zloader.

Recently, Malwarebytes and HYAS have been observing another bot, with the design reminding of ZeuS, that seems to be fairly new (a 1.0 version was compiled at the end of November 2019), and is actively developed. Since the specific name of this malware was for a long time unknown among researchers, it happened to be referenced by a generic term Zloader/Zbot (a common name used to refer to any malware related to the ZeuS family).

The investigation led us to find that this is a new family built upon the ZeuS heritage, being sold under the name "Silent Night". In our report, we will call it "Silent Night" Zbot.

The initial sample is a downloader, fetching the core malicious module and injecting it into various running processes. We can also see several legitimate components involved, just like in Terdot's case.

In this paper, we will take a deep dive into the functionality of this malware and its Command-and-Control (C2) panel. We are going to provide a way to cluster the samples based on the values in the bot's config files. We will also compare it with some other Zbots that have been popular in recent years, including Terdot.

You can view the full report here.