Shining a light on “Silent Night” Zloader/Zbot

Shining a light on “Silent Night” Zloader/Zbot

When it comes to banking Trojans, ZeuS is probably the most famous one ever released. Since its source code originally leaked in 2011, several new variants proliferated online. That includes a past fork called Terdot Zbot/Zloader, which we extensively covered in 2017.

But recently, we observed another bot, with a design reminiscent of ZeuS, that seems to be fairly new (a 1.0 version was compiled at the end of November 2019), and is actively developed.

We decided to investigate.

Since the specific name of this malware was unknown among researchers for a long time, it happened to be referenced by a generic term Zloader/Zbot (a common name used to refer to any malware related to the ZeuS family).

Our investigation led us to find that this is a new family built upon the ZeuS heritage, being sold under the name “Silent Night,” perhaps in reference to a biochemical weapon used in the 2002 movie xXx.

The initial sample is a downloader, fetching the core malicious module and injecting it into various running processes. We can also see several legitimate components involved, just like in Terdot’s case.

In our newly published paper, which we produced in collaboration with HYAS, we take a deep dive into the functionality of this malware and its Command-and-Control (C2) panel. We provide a way to cluster the samples based on the values in the bot’s config files, while also comparing “Silent Night” with some other Zbots that have been popular in recent years, including Terdot.

Download the full report