Dangerous banking trojan in Google ads in search results

If you search for TeamViewer software on search engines like Google, you might come across links that could lead you to fake malware sites. ZLoader which somehow manages to avoid antivirus software on the systems.

“The malware was taken from a Google ad published through Google Adwords,” said researchers from SentinelOne in report published on Monday. “In this campaign, attackers use an indirect way to compromise victims instead of using the classic approach of directly compromising victims, such as phishing.”

First spotted in August 2015, ZLoader (also known as Silent Night and ZBot) is a banking Trojan that, like the Zeus Panda and Floki Bot Trojans, originated on the code of another banking Trojan called ZeuS which is leaked in 2011, with newer versions implementing a VNC module that allows attackers to remotely access victims’ systems. Malware is constantly evolving, and the result is a series of variants that have appeared in recent years.

Although ZLoader is known for attacks on banks around the world, the victims of the latest wave of attacks seem to be primarily users of Australian and German banks, and the primary goal of cyber criminals is to steal data for reporting bank accounts. But the campaign is also noteworthy for the steps the malware takes to stay under the radar, including disabling Microsoft Defender Antivirus (formerly Windows Defender).

According to Microsoft statistics, Microsoft Defender Antivirus is an anti-malware solution installed on more than a billion Windows 10 systems.

The chain of infection begins when a user clicks on an ad displayed by Google on a search results page, which redirects the victim to a fake TeamViewer site controlled by the attacker. In this way, the victim was tricked into downloading a fake but signed version of the software (“Team-Viewer.msi”). A fake installation file is a first-phase dropper attack that triggers a series of actions that involve downloading a next-phase dropper aimed at compromising the computer’s defenses and finally downloading the ZLoader DLL. payloada (“team.dll”).

The malware first disables all Windows Defender modules and then adds exceptions, such as regsvr32, * .exe, * .dll to hide all its components from Windows Defender.

Researchers say that in addition to TeamViewer, attackers use Discord and Zoom as bait.

ZLoader has also recently been used to infect systems with ransomware such as Ryuk or Egregor. ZLoader has backdoor and remote access capabilities, and can also be used to load other malware on infected devices.

Source: Informacija.rs by www.informacija.rs.

*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!