The New ZLoader Variant Targets Banking Customers

What has happened

• In this attack campaign, the attackers have used an indirect approach of targeting victims by abusing Google Ads for popular software such as Discord, Zoom, TeamViewer, and Java plugins.
• The recent attacks targeted users of Australian and German banks with the main goal of monitoring the web requests made to their respective banking portals and stealing bank credentials.
• It is an unusual campaign from ZLoader operators because it employs a series of commands to hide malicious actions by disabling Windows Defender. 
• Furthermore, it uses Living-off-the-Land Binaries and Scripts (LOLBAS) to avoid detection.

The infection chain

• If a user visits the site and believes that it is a legitimate site of TeamViewer, he/she would be tricked into downloading a fake and signed variant of the software (Team-Viewer[.]msi). 
• The fake installer is the first stage dropper to start multiple actions involving downloading next-stage droppers to disable defenses of the machine and downloading the DLL payload (tim[.]dll) of ZLoader.
• It disables all Windows Defender modules and adds an exclusion for *.dll, *.exe, regsvr32, using cmdlet Add-MpPreference to hide all the malware components from Windows Defender. Additionally, the attackers have used nsudo[.]bat script for elevating privileges.
• Researchers have discovered additional artifacts that disguise as apps such as Discord and Zoom, hinting that the attackers had been operating multiple campaigns, along with the one using TeamViewer.

Conclusion