ZLoader Banking Malware is Back, Deployed in Over 100 Campaigns

Zloader, a banking malware that has borrowed some functions from Zeus (e.g. the versioning, nrv2b, binstorage-labels), was recently observed being distributed through COVID-19-themed phishing scams.

What happened

The ZLoader malware has been spotted in more than 100 email campaigns since the beginning of 2020. The trojan is still under active development, with 25 versions seen so far since its comeback in December 2019.
  • In May 2020, several malspam campaigns from multiple actors were observed using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader. This distribution is different from the original variant observed between 2016 and 2018.
  • In April 2020, an email campaign was observed spreading password-protected Excel sheets and a message about a family member, colleague, or neighbor who contacted COVID-19 while claiming to provide information on where to get tested. The Excel sheet utilized Excel 4.0 macros to download and execute the ZLoader version 1.1.22.0.
  • In March 2020, some fraudulent email lures were spotted using a variety of subjects, including COVID-19 scam prevention tips, COVID-19 testing, and invoices intended to distribute the ZLoader banking malware.

Worth noting

Scammers are using the leaked code of Zeus malware to steal data from banking customers across multiple continents. With this code available, new Zeus variants have continued to pop up. It points to the effectiveness of Zeus, as its new variants can still inflict harm.
  • Historically, the operators behind ZLoader malware have mainly targeted organizations based in Canada but since January 2020, they have been caught luring users in the United States, Canada, Germany, Poland, and Australia related to the COVID-19 topics.
  • Between 2016 to 2017, the ZLoader malware attacked several Canadian financial targets through phishing and spam email pretending to be from the Canada Revenue Agency (CRA) and via the Sundown exploit kit.
  • The malware uses typical banking malware functionality such as web injects, password and cookie theft, and access to devices via VNC to harvest financial data that make use of social engineering to convince infected users to hand out auth codes, credentials, and personally identifiable information.

Stay safe

Users should not open attachments or web links within irrelevant emails that are received from unknown, suspicious addresses. Users should avoid downloading or updating software from third-party or P2P websites. Users should employ powerful anti-malware software and perform a full system scan. As a precaution, users should also frequently change their passwords for financial accounts.