The malware is downloaded from a Google advertisement published through Google Adwords. Overview of the ZLoader infection chain Technical Analysis During our investigation, we were also able to map all the new ZLoader C2 infrastructure related to the ‘Tim’ botnet and identify the scope of the campaign and its objectives, which primarily involved stealing bank credentials from customers of European banks. The new infection chain observed by SentinelLabs demonstrates a higher level of stealth by disabling Windows Defender and relying on living-off-the-land binaries and scripts (LOLBAS) in order to evade detection. ZLoader relies primarily on dynamic data exchange (DDE) and macro obfuscation to deliver the final payload through crafted documents.Ī recent evolution of the infection chain included the dynamic creation of agents, which download the payload from a remote server. Newer versions implement a VNC module which permits users to open a hidden channel that gives the operators remote access to victim systems. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware. It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. ZLoader is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive information.
A multitude of different versions have appeared since December 2019, with an average frequency of 1-2 new versions released each week.
ZLoader (also known as Terdot) was first discovered in 2016 and is a fork of the infamous Zeus banking trojan.
By Antonio Pirozzi and Antonio Cocomazzi Executive Summary
0 kommentar(er)
