image
A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines, researchers have found. That’s according to SentinelLabs, which said that to lower the rates of detection, the infection chain for the campaign also includes the use of a signed dropper, plus a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload itself. ZLoader has been around a while, one of many malware forks rising from the ashes of the Zeus banking trojan after its source code was published nearly 10 years ago. “[It] is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive information,” SentinelLabs analysts noted in a Monday posting on the new campaign. “It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.” Stealthy ZLoader Infection Chain Starts With Google AdWords To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software, researchers found – an indirect alternative to social-engineering tactics like spear-phishing emails. The lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom. Thus, when someone Googles, say, “Team Viewer download,” an…

Source