ZLoader is back: uses ads for spreading and disables Windows defender

Malware abuses Google AdWords and spreads via promotional ads for TeamViewer, Zoom

Malcious ads spread malware payloadsZLoader attacks focused on Australian and German banking customers.

Users that are currently searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links.[1] Those links seem to drop ZLoader malware onto users' systems, and at the same time simultaneously embrace a stealthier infection chain. It looks like the chain allows the malware to linger on infected devices and evade detection by security solutions.[2]

It was announced that the newly detected malware is downloaded from a Google advertisement, that was published through Google AdWords. In the developmental report made by researchers from SentinelOne, it is stated that in the most recent campaign the attackers use an indirect way to compromise victims' data. Threat actors seem to not be relying on the classic approach of compromising the victims directly, like by phishing.

Zloader campaign uses their malicious knowledge to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to evade detection. Microsoft experts even point out, that Defender Antivirus is installed on more than 1 billion systems running Windows 10. Therefore, many private users and global companies could face potential risks or threats in the upcoming time.[3]

Global banking customers got targeted

The banking trojan had negatively impacted the worldwide finance sector, including countries like Australia, Brazil, and the North American region. Hackers attempted to gather financial data via web injections that use social engineering to convince infected customers to hand out codes and credentials. In the most recent time, the trojan ransomware payloads of Ryuk or Egregor were used.

ZLoader usually comes up with the backdoor and remote access capabilities. It is possible to use trojan as a malware loader to drop further payloads on infected devices. SentinelLabs research states that the latest campaign is primarily focused on targeting customers of German and Australian banking institutions. The increasing risk of cyberattacks and the potential impact on banks is a top concern for financial institutions and the government.[4]

ZLoader has a notorious history

Zloader could be known in other names too, like Zeus Sphinx or Tredot. Whatever you name it, its purpose is the same. It is a banking malware that first emerged in August 2015. Since then, more than 6 years have passed and it still keeps coming back with new campaigns. To put it simply, Zloader[5] is a malicious program designed to hijack Windows processes and web browsers in order to steal sensitive information from users' machines and is based on a Zeus Trojan.

Once installed, it could hijack built-in processes (Windows Explorer) and patch executables of Google Chrome, Mozilla Firefox, and Internet Explorer. While its main purpose on the host system is to steal data, it will also download and install another well-known malware Zbot. Zbots are deployed as mail spam, through malicious social engineering and via insertion of itself into legitimate product downloads.[6]

When locates and collects what it is seeking, the Zbot sends it to a hacker’s remote location where the information is used for account takeover (ATO) and other forms of financial fraud and similar abuses. Overall, ZLoader is in active development, with criminal actors spawning an array of variants in recent years. However, as of now, there is no evidence any major threats were caused by the attack.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions