Some malware strains are built with robust protections in order to avoid detection. Zloader goes a step further and actually disables Microsoft Defender AV (formerly known as Windows Defender). That’s significant because according to stats provided by Microsoft Defender AV is preinstalled on more than a billion PCs running Windows 10.
The hackers behind the campaign have changed their delivery vector. Former campaigns conducted by the group that controls Zloader relied on spam and phishing emails. The most recent campaign with the variant that disables Microsoft Defender AV is delivered via TeamViewer Google ads that redirect potential victims to fake download sites.
Antonio Pirozzi and Antonio Cocomazzi are researchers from SentinelLabs.
They had this to say about the most recent campaign:
“The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness.
The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.”
If you’re not familiar with the name Zloader you should know that this malware strain also goes by the names DELoader and Terdot. It was originally built as a banking Trojan way back in 2015 and has been kept up to date. As with many other strains it is based on the Zeus v2 Trojan whose source code was leaked online more than a decade ago.
Zloader has been used in attacks on financial institutions all over the world but a significant number of their attacks have been focused on the US, Australia and Brazil.
Originally it was used to pilfer a wide range of financial data for resale. More recently it has been modified to deliver ransomware payloads such as Egregor and Ryuk. This adds a new and devastating dimension to the attack.
If your business is in any way connected to the financial industry keep a watchful eye on Zloader. It represents a significant risk.