The ZLoader Malware
A recent report reveals that search results for TeamViewer remote desktop software on major search engines like Google and others return malicious URLs that put ZLoader malware on the user’s system. The infection chain is stealthier than before, meaning it is more difficult to detect on infected devices.
As per the published information, the malware is downloaded through an ad that is published via Google Adwords. The attackers behind this campaign use a more roundabout approach to infect users than the typical phishing technique.
The fully-featured ZLoader banking trojan, also known as Silent Night and ZBot, first emerged in 2016. In its essence, the malware is a branch of the more well-known ZeuS malware. Its recent versions include a VNC module that allows attackers to get remote access to victim machines. New malware versions are created constantly, with criminals fueling the cycle by using leaked ZeuS source code from 2011.
A growing number of attacks have been found to be aimed Australian and German financial institution customers by redirecting them to fake websites in order to steal banking information. But one of the notable things about the campaign is that it runs a number of commands to disable Windows Defender and conceal its harmful activities.
According to the revelations, the new ZLoader version may be spread when a Google user is tricked into downloading a signed version of TeamViewer that was obtained from a malicious site on Google search results, thereby completing the infection chain. The fake installer serves as the first stage dropper to start a sequence of activities that culminate in the downloading of the ZLoader DLL payload.
Aside from using a rogue TeamViewer version as a transmitter, researchers have found evidence that the malware tries to mimic other popular apps such as Discord and Zoom, indicating that the hackers had other luring schemes in the works beyond their use of TeamViewer.
The study of the attack chain reveals that instead of tricking a victim into opening a malicious document, the new method infects the user’s online searches with malicious links that deliver a stealthy, signed MSI payload. This only indicates that the attack complexity has increased in order to advance stealthiness through methods much more lucrative than phishing.