One of the most techniques noticed is the disabling of security software during the trojan operation. įrom the different Zloader samples analyzed last year, many techniques were employed to evade trojan detection. “In several instances, these files were added to a folder pretending to be associated with legitimate software, such as Oracle Java or Brave Browser, using the following pattern as an example: C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\”, says Microsoft. Segurança-Informatica published a report about a Latin American trojan that uses the same approach. Zloader uses the Win process called “ msiexec.exe ” to download legitimate files from several locations, including non-malicious DLL files. The collected data is then redirected via proxy to the criminals’ side. In detail, the trojan installs a fake certificate to run a proxy locally. The credential-stealing process is achieved via several threads spawned in parallel in different and targeted Windows processes, including Most of the popular files collected by Zloader are related to crypto wallets, namely: Other modules can add web injects into pages using web browsers available on the target machine, downloading and executing arbitrary files from its C2 servers, utilizing its keylogger module to collect keystrokes and sending files to the C2 server. When executed on the target machine, Zloader can use its internal modules to collect information from the infected machines, including passwords, cookies, and sensitive data, capturing screenshots and providing VNC access to adversaries. According to Microsoft analysis, “ users who performed Google searches for those terms during a specific time would be presented with an advertisement that led to the form grabbing malicious domain s.” Zloader modules These URLs and associated campaigns have impersonated some popular brands such as Java, Zoom, TeamViewer and Discord. On the other hand, criminals behind the Zloader campaigns utilize malicious ads to trick users into visiting malicious URLs. Some campaigns disseminated by criminals also use COVID-19 templates that use domains associated with the lure theme. The typical attack vector used by criminals is malicious emails via phishing campaigns and the recent usage of fake ads to deliver the initial Zloader payload.Īt first glance, the phishing emails have attached fake Microsoft Office documents with malicious macros that will download and execute the Zloader payload. Although there are a lot of workflows about Zloader available on the internet, we decided to introduce the graphic illustrated in Figure 2 by Microsoft as it briefly resumes the different stages of this emergent threat.įigure 2: Different stages of Zloader trojan ( Microsoft ). The main audience of this piece of malware are users of financial institutions worldwide. Zloader is a trojan designed to steal cookies, passwords and sensitive information. These variants are a clear result of the Zeus source-code leak in 2011. In addition, Zloader, also known as Zbot, is under active development and has been spawned over different versions in recent months. Zloader relies on phishing campaigns that lure victims into opening malicious attachments in resumes/CVs, invoices and MS Office documents.įigure 1: Attached is a Zloader phishing email with a malicious MSOffice (.doc) file.
0 Comments
Leave a Reply. |