A new ZLoader campaign has been discovered employing a stealthier distribution mechanism to target Australian and German banking customers. It uses signed droppers with lower rates of detection.

What has happened

According to a recent report from SentinelOne, a new variant of ZLoader malware has avoided traditional ways of infection vectors, such as phishing, and used new stealthier ways instead.
  • In this attack campaign, the attackers have used an indirect approach of targeting victims by abusing Google Ads for popular software such as Discord, Zoom, TeamViewer, and Java plugins.
  • The recent attacks targeted users of Australian and German banks with the main goal of monitoring the web requests made to their respective banking portals and stealing bank credentials.
  • It is an unusual campaign from ZLoader operators because it employs a series of commands to hide malicious actions by disabling Windows Defender. 
  • Furthermore, it uses Living-off-the-Land Binaries and Scripts (LOLBAS) to avoid detection.

The infection chain

The infection chain in the recent campaign starts when a user clicks on an advertisement displayed by Google on a search results page and then redirects to the fake site of TeamViewer software.
  • If a user visits the site and believes that it is a legitimate site of TeamViewer, he/she would be tricked into downloading a fake and signed variant of the software (Team-Viewer[.]msi). 
  • The fake installer is the first stage dropper to start multiple actions involving downloading next-stage droppers to disable defenses of the machine and downloading the DLL payload (tim[.]dll) of ZLoader.
  • It disables all Windows Defender modules and adds an exclusion for *.dll, *.exe, regsvr32, using cmdlet Add-MpPreference to hide all the malware components from Windows Defender. Additionally, the attackers have used nsudo[.]bat script for elevating privileges.
  • Researchers have discovered additional artifacts that disguise as apps such as Discord and Zoom, hinting that the attackers had been operating multiple campaigns, along with the one using TeamViewer.


The recent ZLoader campaign gives us an insight into the complexity with which hackers attempt to bypass the security walls of the banking industry. This campaign shows that ZLoader operators are also attempting to move away from traditional attack methods and experimenting with new attack chains to target their victims. Therefore, it is important for security teams to prepare themselves against this threat.

Cyware Publisher