ZLoader Banking Malware is Back, Deployed in Over 100 Campaigns

What happened

• In May 2020, several malspam campaigns from multiple actors were observed using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader. This distribution is different from the original variant observed between 2016 and 2018.
• In April 2020, an email campaign was observed spreading password-protected Excel sheets and a message about a family member, colleague, or neighbor who contacted COVID-19 while claiming to provide information on where to get tested. The Excel sheet utilized Excel 4.0 macros to download and execute the ZLoader version 1.1.22.0.
• In March 2020, some fraudulent email lures were spotted using a variety of subjects, including COVID-19 scam prevention tips, COVID-19 testing, and invoices intended to distribute the ZLoader banking malware.

Worth noting

• Historically, the operators behind ZLoader malware have mainly targeted organizations based in Canada but since January 2020, they have been caught luring users in the United States, Canada, Germany, Poland, and Australia related to the COVID-19 topics.
• Between 2016 to 2017, the ZLoader malware attacked several Canadian financial targets through phishing and spam email pretending to be from the Canada Revenue Agency (CRA) and via the Sundown exploit kit.
• The malware uses typical banking malware functionality such as web injects, password and cookie theft, and access to devices via VNC to harvest financial data that make use of social engineering to convince infected users to hand out auth codes, credentials, and personally identifiable information.

Stay safe