ZLoader Malware New Stealthy Variant
Reading Time: 2 minutes

ZLoader Malware’s new stealthy variant uses fake TeamViewer download ads to linger on infected devices and evade detection by security solutions.

Users are being redirected to such fake Teamviewer ads on search engines like Google only to download a Zloader malware on their systems.

SentinelOne in a blog post said, “The malware is downloaded from a Google advertisement published through Google Adwords. In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing.”

Zloader made its first appearance in 2016, also known as Silent Night and ZBot. It is a fully-featured banking trojan and fork of another banking malware called ZeuS. While the new versions implement a VNC module that grants adversaries remote access to victim systems. Bad actors are actively developing an array of variants in recent years, thanks to the leak of the ZeuS source code in 2011.

The recent attacks targeting users of Australian and German financial institutions, the primary intention was intercepting user’s web requests to banking portals and stealing bank credentials. What’s noteworthy is the steps taken by the bad actors to stay under the radar, this included running a series of commands to hide the malicious activity by disabling Windows Defender.

Once the users click on the advertisement displayed on Google, the infection chain is triggered and they are redirected to the fake TeamViewer site under the attacker’s control. The victims are tricked into downloading a compromised variant of the software (“Team-Viewer.msi”). Once the software is installed on the system it triggers a series of actions that involve downloading next-stage droppers. These are aimed at impairing the defenses of the machine and finally downloading the ZLoader DLL payload (“tim.dll”). ZLoader-infection-chainAntonio Pirozzi, a Senior Threat Intelligence Researcher at SentinelOne said, “At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-preference to hide all the components of the malware from Windows Defender.”
According to the cybersecurity firm, additional records that mimic popular apps such as Discord and Zoom just go to show the attackers had multiple campaigns ongoing beyond leveraging TeamViewer.

Pirozzi explained, “The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness, using an alternative to the classic approach of compromising victims through phishing emails. The technique used to install the first stage dropper has been changed from socially engineering the victim into opening a malicious document to poisoning the user’s web searches with links that deliver a stealthy, signed MSI payload.”

Related Articles:

Urgent Apple iPhone Software Update Issued to Tackle Critical Spyware Vulnerability
Cobalt Strike Beacon Linux and Windows Implementation Targets Organizations Worldwide
Latest SpookJS Attack Bypasses Google Chrome’s Site Isolation Protection