‘ZLoader’ malware has returned
Posted by: GuidePoint Security
Published 9/22/2021, 9:00am
A variant of the notorious Zeus malware, ZLoader is making the rounds again.
This time it has been discovered propagating via a Google advertisement published through Google Adwords. The malicious link drops ZLoader malware onto users’ systems while launching an infection chain that enables persistence and evasion.
The Zeus malware was first discovered in 2007 and is used for a variety of nefarious purposes, including stealing banking information, installing the CryptoLocker ransomware, man-in-the-browser attacks, and form grabbing. Researchers discovered the ZLoader variant (also called Silent Night and ZBot) in 2016.
In this latest ZLoader rendition, criminals appear to be using it to target financial institutions and intercept a user’s banking credentials when the user logs into the institution’s portal.
This isn’t the first time this year that ZLoader has caused problems. In May, we wrote about a ZLoader attack that involved a malicious email with a macro-embedded Excel file. On execution, the Excel macro enabled threat actors to initiate an intrusion and begin reconnaissance using Cobalt Strike and a unique PowerShell RAT that eventually resulted in the deployment of the DarkSide ransomware.
Next Steps
Cybersecurity professionals advise users to never download attachments from suspicious emails or click on suspicious links, and to avoid enabling macros, particularly if an email or extension requests that you do so. Administrators are also strongly encouraged to regularly patch and update systems, as well as work with a professional security team to establish best practices for organizational security. Security professionals can help businesses create a security architecture specifically designed to help protect from malware threats like ZLoader, with such services as cloud security, data security, email security, and endpoint security.
GuidePoint Security