5/19/2023 0 Comments Teamviewer msi![]() ![]() ZLoader relies primarily on dynamic data exchange (DDE) and macro obfuscation to deliver the final payload through crafted documents.Ī recent evolution of the infection chain included the dynamic creation of agents, which download the payload from a remote server. Newer versions implement a VNC module which permits users to open a hidden channel that gives the operators remote access to victim systems. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware. It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. ZLoader is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive information. A multitude of different versions have appeared since December 2019, with an average frequency of 1-2 new versions released each week. ZLoader (also known as Terdot) was first discovered in 2016 and is a fork of the infamous Zeus banking trojan. SentinelLabs identified the entire infrastructure of the ‘Tim’ botnet, composed of more than 350 recently-registered C2 domains.The threat actor uses a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload and lower the chance of detection.The new infection chain implements a stager which disables all Windows Defender modules.The campaign primarily targets users of Australian and German banking institutions.New ZLoader campaign has a stealthier distribution mechanism which deploys a signed dropper with lower rates of detection.By Antonio Pirozzi and Antonio Cocomazzi Executive Summary
0 Comments
Leave a Reply. |